WordPress.org

Ready to get started?Download WordPress

Forums

I think my site has been hacked. Please Help ASAP? (14 posts)

  1. jkrawitz
    Member
    Posted 2 years ago #

    I worked on both my company's site and a client's test site (temporarily hosted on my company's site.) My site: http://majormedialearning.com. My client's test site: http://majormedialearning.com/Valentinos
    I left the WP Dashboard up to finish editing a page, while I took a 1/2 hour break. The last thing I did before leaving my desk was to remove the page's featured image. It seemed to be taking a long time for this simple effort, so I didn't wait around to see what happened next. When I returned, both sites returned line after line of very bizarre code. I logged out of WP and logged back in, but the same lines of code popped up in both admin/edit mode and in direct url mode. Both sites are run on separate WP installs in separate folders, with separate usernames and passwords and independent databases.

    The strange messages even appear in the WP Dashboard. I'm posting what appeared above and within the WP Dashboard on my company site. The same thing happens with the client's temporary site, despite each running on a separate WP install. All of the notices refer to:

    "Use of undefined constant 'GetMama'"

    followed by a reference to a different WP php file each time.

    Please help! I have absolutely no idea what has happened or what to do now.

    Notice: Use of undefined constant GetMama - assumed 'GetMama' in /home/content/56/7040756/html/wp-includes/compat.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1

    Notice: Use of undefined constant GetMama - assumed 'GetMama' in /home/content/56/7040756/html/wp-includes/functions.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1

    [Remaining notices moderated]

  2. esmi
    Forum Moderator
    Posted 2 years ago #

  3. infosecschool
    Member
    Posted 2 years ago #

    You may be correct. See:

    http://www.pagelines.com/forum/discussion/18110/error-message-cannot-redeclare-getmama/p1

    Also, your error paste somehow messed up your question...Very difficult to respond...

  4. jkrawitz
    Member
    Posted 2 years ago #

    Thanks for the links. I just spent a very looooong time on the phone with GoDaddy. They've restored everything and convinced me to buy their site protection package. Cost $150 total, which seems exorbitant to me. If you use them, though, be sure to buy the site protection, as their server antivirus/malware doesn't stop this kind of thing. The virus most likely slipped in through a comment that I moderated, fwiw. That problem was supposed to have been fixed with 3.3.1, however, and that's what I have installed on both sites.

    Anybody know who at WP I should report this to?

  5. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    I still show your site with a virus.

    [edit] Ok the second time around.

    [edit] Not ok. Still has a trojan.

  6. jkrawitz
    Member
    Posted 2 years ago #

    Thanks VERY much for checking, kmessinger. Apparently GoDaddy's super spectactular site protection doesn't do much, as they just sent me a notice that the site passed their deep scan! How did you find the trojan and what can be done to get rid of it? Oh ... and does it have a name?

    Thanks again for your help.

  7. AeroWeb
    Member
    Posted 2 years ago #

    Your infected with the latest nasty WordPress virus. We had the same issue with one of the sites that we administer.

    First off, do not get any package from Godaddy, that will not help you at this point.

    Use this link to check if you are still infected:
    http://sitecheck.sucuri.net/results/majormedialearning.com
    Click the Re-scan button on the button of the page to refresh. Keep in mind that the scan only tests the home page and associated links that go from there, it does not take into account the wp-admin area.

    Every .js file on your website is infected. You are going to have to go in and delete one line of code from every .js file on the site. There is and easier way if you have SSH access turned on, if not go to your Godaddy control panel and turn it on. Run the following command:

    find . -type f -print0 | xargs -0 sed -i '/_0xa687/d'

    That command will find all files containing the partial string _0xa687 (which is the virus) and it will delete that line of code.

    If you just want to check for files that have that string without deleting the line, run this command:

    find . -exec grep -l "var _0xa687" {} \;

    Then clean up all the php files that have been infected. Run this find command:

    find . -exec grep -l "god_mod" {} \;

    That fill find all files with "god_mod" string. These files will also need to be cleaned up.

    Lastly run this search

    find . -exec grep -l "GetMama" {} \;

    The above searches for a partial string (GetMama) which was in my index.php file. You will need to delete the entire string, but be careful because it is on the same line as the begining <?php tag. Make sure you leave the <?php take in place.

    ************************************************************************
    Be careful with the commands, they are powerful. A mistype could cause havoc.
    ************************************************************************

    After you clean everything up, consider using something like the BulletProof Security plugin to tighten up security on the site.
    http://wordpress.org/extend/plugins/bulletproof-security/

    Here is link with more info on the virus: http://sucuri.net/new-malware-eval-getmama-encoded-javascript.html

  8. AeroWeb
    Member
    Posted 2 years ago #

    More info:

    The cause of this for us seems to be the timthumb security vulnerability. Take a look at the following links for more info:
    http://blog.vaultpress.com/2011/08/02/vulnerability-found-in-timthumb/
    http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

    Timthumb is used in many plugins, we did a search for all files that contain the "ALLOW_EXTERNAL" constant using the following command:

    find . -exec grep -l "ALLOW_EXTERNAL" {} \;

    We opened the files from our search and changed:
    define( 'ALLOW_EXTERNAL', true );
    to
    define( 'ALLOW_EXTERNAL', false );

    Hopefully this will prevent future issues.

    Also, we found several other files that were either modified or created that need to be cleaned:

    wp-config.php - Last line starting with "if (isset($_REQUEST['FILE']))" needs to be deleted
    wp-admin/common.php - for us this entire file was a back door. Verify and delete
    wp-admin/js/config.php - same files as above just with a different name and in a different directory
    wp-admin/upd.php - Delete
    wp-content/upd.php - Delete

  9. jkrawitz
    Member
    Posted 2 years ago #

    You guys are fantastic! I honestly can't thank you enough. I'm absolutely furious with GoDaddy, since they were so insistent about their security scam, which ran on my site and literally awarded it their seal of approval!

    If I'm reading your information correctly,the .js files can be cleaned automatically using the procedure you outlined. But the .php files can only be found automatically, and must be cleaned up manually. Is that correct?

    Just to verify, as I understand it, the following files should be completely deleted.

    wp-admin/common.php - for us this entire file was a back door. Verify and delete
    wp-admin/js/config.php - same files as above just with a different name and in a different directory
    wp-admin/upd.php - Delete
    wp-content/upd.php - Delete

    I'm running two separate installations of WP on this site, with the second install contained in a subdirectory of the main site. Will I need to fix the two WP installs separately or will the first run-through pick up both?

    And what about the databases? GoDaddy just replaced them with their latest backup, which wouldn't help much if they were infected.

    Finally, a totally newbie question. Where and how do I run the commands you provided?

    Thank you, again, for all your help. This community is amazing!

  10. AeroWeb
    Member
    Posted 2 years ago #

    Lets first start with the client and commands. If you run windows you will need to run the putty client. Here is the link to the downloads page:
    http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
    Here is the direct download link for putty.exe:
    http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

    Once you download the client, run the putty.exe file. Input the main domain name of your website in the "Host Name or IP" field and make sure you have port 22 and SSH selected as a connection type and then click open.

    A dos like screen will open where you will be prompted for a username and password. You will use your main FTP username and password as login credentials. If it is your first login you will be prompted to say yes confirming the hosts key.

    Once logged in here are a few essential commands
    ls -la (This lists files in the current directory)
    pwd (shows your current path)
    cd (change directory for example "cd html" will bring you to the main html folder)
    cd .. (go back up to the containing folder)
    rm filename (this will delete a file. Be careful because it does not prompt for confirmation and your file will be gone forever unless you have a backup)

    Before you do anything, make an FTP backup of your files. I know at this point the files are still infected, but at least you'll have a backup if one of the commands you run goes wrong.

    Our database appeared ok so we did not take any actions there. IF you like you can export the database to your local computer and open the database file in a text editor and then just do a search for the keywords pertaining to the virus.

    You may have to use the cd command to go into the correct directory containing your site before you run any of the commands I posted above. Although the find command should be recursive.

    Yes, it should be safe to kill the files I listed for deletion but make sure you do a full backup just in case and it also would not hurt to open the file in a text editor an verify before you delete.

    As for the .php files you could try running the following to automatically fix them:

    find . -type f -print0 | xargs -0 sed -i '/god_mod/d'

    The command above essentially looks for the string "god_mod" and deletes the entire line that contains that string. However I recommend first opening a few php files after you do your FTP backup and make sure that the virus code is on a line by itself otherwise you might be deleting code that you need.

    Also don't forget to fix the last line of code in wp-config.php.

    Good luck!

  11. jkrawitz
    Member
    Posted 2 years ago #

    Thank you for the wonderfully clear directions. If you're not doing tech writing, you're a natural. Everything looks doable. Hopefully I won't need to come back with more questions. You've really been terrific!!

    Gratefully,
    J

  12. jay
    Member
    Posted 2 years ago #

    any advice to replace <php? and a new line to the beginning of every php file?

    The deletion worked but also removed <php? from all my files

  13. RitaLorraine2
    Member
    Posted 2 years ago #

    Hi everyone,
    I'm a newbie to the forum but I've been using wordpress for a few years. As a matter of fact, my host is GoDaddy and I have 3 wordpress sites on their hosting site.

    Unfortunately, I've been slammed by this awful wordpress infection too. I tried uploading a plugin that would set the site to maintenance mode, but "settings" have been disabled. Like jkrawitz, Godaddy tried to sell me their site scanner, but I ignored them. Tried to get them to disable the site, but they couldn't do it; if they disable it, I won't be able to use it either.

    So, I take it that I'm on my own. First, thank you Aeroweb for the wonderful directions! They seem to be very easy. Just a few questions:

    1. Do I need to activate SSH on GoDaddy, then come back to my desktop and use the putty download link you indicated?

    2. Once the putty window opens up, will I be able to access files from my desktop?

    3. Someone told me I might be able to just export my data file from my wordpress site, then run a scan on it on my desktop to see if it's infected. Then, they said to delete wordpress (after saving my upload file), then do a fresh install of wordpress. After that, they told me to completely delete my theme and do a fresh install of the theme, too. They said this should get rid of the infection. Does that sound logical to you?

    Any help anyone can give me would be greatly appreciated!

    Rita Lorraine
    [sig moderated as per the Forum Rules]

  14. esmi
    Forum Moderator
    Posted 2 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic