WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] header.php was hacked (9 posts)

  1. asefrin
    Member
    Posted 3 months ago #

    I use WP 3.8 with wootheme empire and found this code in my Header.php:

    [hacked code removed - please do not post that here]

    I put a clean Header.php on the Server and seconds later the Header.php is changed again.

    Login with wp-admin is impossible. I can't get on my Installation anymore :-(

    Do you have a hint why the mallicious code is back again and where I can search?

    I have no clue, what the lines are doing.

    Thanks for help!

  2. jeanseinomarin
    Member
    Posted 3 months ago #

    Hi,

    I have the same problem, with the same code, on multiple websites (all my server is infected, the files named index.php, header.php, footer.php, login.php, page.php...).
    If I delete the code, it works, but I'm note sure that is the correct solution.

  3. iozuniga
    Member
    Posted 3 months ago #

    Exactly the same problem. WordPress 3.7.1.

    Regards,

  4. WPyogi
    Volunteer Moderator
    Posted 3 months ago #

  5. iozuniga
    Member
    Posted 3 months ago #

    WPyogi,

    Thanks for your tips. I'm aware of almost all the suggestions and of course I have backup files before the hack. BTW, it will be useless to restore them if I do not find first how the server was hacked.

    Apart from WP 3.7.1, I use on the same server Drupal 6.28 and maybe that is the problem since there is high risk security patch to 6.29.

    Any feedback from asefrin and jeanseinomarin will be highly appreciated.

    Regards,

  6. veselin
    Member
    Posted 3 months ago #

    It is not a Drupal or WP security problem. We run a server only with custom CMSs and this morning in almost all index.php files the same code was added. The attacker (I guess it was automated, because it happened very quickly) logged in FTP, downloaded the index.php file and uploaded the "patched" one. And this was repeated very quickly for all the sites from the server.

    We suspect that there is a virus/trojan that infects Win machines and collect saved FTP passwords. I have no other explanation so far. Check your FTP logs and see if there are suspicious FTP logins. Also, change the FTP passwords ASAP.

    You can also try to search in Google for parts of this code. When I first searched - there was only 1 match - this thread. Now there are several pages of infected web-sites.

    BR

  7. asefrin
    Member
    Posted 3 months ago #

    @Veselin: I think as well, that the attack is by FTP because the header.php file was immedeatly replaced by a new one and after the sixth time the variables $wp_axd4 was changed.
    Now the file is clean but I still have no access to WP.

    WP should be save because there are plugins for antivirus and login attemps are installed. The antivirus gave me the hint, where I have to look.

    @iozuniga: There is only a wp installation on the server, no Drupal.

    The problems started yesterday night, I tried to update nggallery to the newest version. After 10min my website was back, the plugin wasn't updated. This morning the update of the plugin finished without an error. But after that the website seems to work but without the plugin and no access to 'website\wp-admin'.

    @WPyogi: I've gone through most of the resources but couldn't find how the server was hacked.

  8. asefrin
    Member
    Posted 3 months ago #

    I've my dashboard back!

    I'm not sure if it is just a stupid incident but before my antivirus gave me the hint I tried to installed the latest version of nggallery. The update went wrong twice but this morning the installation finished without a problem. But I got a white screen instead of the wp Dashboard, when I left the plugin page.

    I still thought that the hacked header file causes that.
    So I just installed the complete theme again, no change. I repaired and optimized the wp installation, no change. I started to install wp again and before that I had to deactivate my plugins. Without dashboard I had to rename the plugin folder. Before deleting all wp files I just gave it a second try and my website was back. After reactivating the plugins one by one, I found out that nggallery causes the problem.

  9. asefrin
    Member
    Posted 3 months ago #

    I told NextGEN Gallery about my problems (WSOD) and after different actions here's the solution:

    I had to change the PHP limits.
    PHP Memory Limit : 128
    PHP Max Upload Size : 32M
    PHP Max Post Size : 32M

    Its working fine now.

    By the way... The support by Photocrati was great.

Reply

You must log in to post.

About this Topic