WordPress.org

Ready to get started?Download WordPress

Forums

Help Needed: Website Clean or Hacked? (11 posts)

  1. aSrGN
    Member
    Posted 2 years ago #

    Greetings,

    When I was browsing for php files of the Bueno theme via Editor, I have came across php files named like:
    4c52d29df0c6be00235e0dbe03afa9ec.php

    When I searched about it, many posts mentioned that it can be a malware backdoor. So I have scanned the website (www.cookingcookies.net) with every service that is possible (Sucuri and so on) and the results are all clean.

    But I will unrest. This php files with weird names are still there. Is the website hacked? What shall I do? Deleting these weird name files can be a solution? Thanks!

  2. Patrick Nommensen
    Member
    Posted 2 years ago #

    [ removed text ]

    Disregard this please, I remembered hyper-cache files end in .dat and I didn't realize you said it shows up in the appearance--> edit.

  3. aSrGN
    Member
    Posted 2 years ago #

    Hi Patrick,

    I think they are inside the Bueno theme folder. Because when I open Appearance>Editor on WP admin panel, I see them. There are totally 5 php files with weird names. If possible, I can give a screenshot.

    I am really confused!

  4. aSrGN
    Member
    Posted 2 years ago #

    When I opened one of them, at the end of the page it says:

    eval(gzinflate(str_rot13(base64_decode($rhs))));
    ?>

    Isn't Eval a sort of malware code?

    And at the top of one, it says:

    <?php

    // ketek90@gmail.com
    // no malware on this code, you can check it by yourself ;-)

    @error_reporting(0);
    @set_time_limit(0);

  5. Patrick Nommensen
    Member
    Posted 2 years ago #

    WooThemes is a reputable source of themes, at least in my experience. I am 99% certain that file was not there when you downloaded the theme.

    If you navigate to /wp-content/themes/bueno can you find those files?

  6. aSrGN
    Member
    Posted 2 years ago #

    It is funny and weird!

    When I connect to the site via FTP, I have checked the /wp-content/themes/bueno and those files are nowhere to be found!

    But when I log into WP backend and when I open Appearance>Editor on WP admin panel, I still see them!

    What does it mean? I am so confused and stressed!

  7. aSrGN
    Member
    Posted 2 years ago #

    By the way, Patrick, I agree with you about WooThemes. And when I compare the original theme folder/files to folder/files on FTP there is no difference.

  8. Patrick Nommensen
    Member
    Posted 2 years ago #

    Yes, I am 99% sure that this is a malware script.

    Sources:

    http://blog.sucuri.net
    and more comprehensive...

    That file needs to be removed ASAP. Who's your hosting provider? You should get in touch with them and have them investigate. If you're with hostgator you can submit a ticket to their "security department" for further investigation.

    [Possible work solicitation removed.]

  9. aSrGN
    Member
    Posted 2 years ago #

    I have just written to our hosting provider (It is not HostGator) about this topic. Waiting for their answer now.

    I will keep this topic updated. Thank you!

    I was wondering how did it happen? I am using the same plugins more than one year. Same theme more than one year. I always keep everything up to date. Is it this Timthumb issue that is mentioned mostly everywhere?

    I happened to came across with the file thumb.php and changed the code there to;

    define( 'ALLOW_EXTERNAL', false );

    and

    deleted everything inside allow sites command;

    $allowedSites = array();

  10. aSrGN
    Member
    Posted 2 years ago #

    Here is the link about this issue and solution;

    http://www.agentwp.com/how-to-fix-the-security-issue-in-timthumb

  11. aSrGN
    Member
    Posted 2 years ago #

    I have contacted the hosting provider. They say they have found malicious codes inside the site, some hiding inside the pictures. And they say that online scanning services can not find those traces.

    I have asked a couple of questions and waiting for the answers again.

    I have also discovered the weird named PHP files are inside:
    .../httpdocs/wp-content/themes/bueno/cache

    Is there a way to rescue the site without wiping out it all, only deleting the infected files or picture or whatever?

    What kind of attack is that? I mean, what is its behavior? What does it do to the website visitor or the site itself exactly?

    And, if they wipe out the website and when I load the backup, if the backup is also infected, what will be the difference? Won't it be infected again?

    I am so confused, I will appreciate answers that will clear my min a bit!

Topic Closed

This topic has been closed to new replies.

About this Topic