Posted 2 years ago #
I have had
<?php /**/ eval(base64_decode
appear at the beginning of all my php files. Avast is detecting a trojan when I load my site which seems to be coming from an external site: news.hermison.com.
Is anyone else having this combination of problems? Does anyone know an easy solution?
Posted 2 years ago #
iv had the same problem, i deleted that piece of script but there still seems to some hidden (view page source your site, youll probably find another script right at the bottom)
Posted 2 years ago #
That piece of script is in literally every php file. Is there a quick way of removing it from all files, rather than opening every single one?
Posted 2 years ago #
I'm thinking it might just be easier to do a fresh install of wordpress and of my theme. Whats the best way to retrieve all my posts? I've exported my database. Is that the best place to find them?
Posted 2 years ago #
(Sips coffee, and thinks I'm sure going to regret this but here goes. Steps gingerly on top of the soap box.)
Why? End user laziness, a healthy mix of stupidity, all wrapped together with a lack of personal responsibility.
Wow, that was harsh. Still true though. If that's too harsh then read it as "Why? Lack of self education." and if any mod wishes to tone down the 2nd and 3rd paragraphs I wont object. :)
Occasionally there is a legitimate bug in WordPress that gets exploited via a script. Once an exploit is out there, folks who have their own forums and their own groups write up how to take advantage of it.
Sometimes the turn around is less than a few hours. Other times someone locates a bug in some old unsupported version like 2.0.x and exploit that. Finding exploitable versions in the wild is a simple as running a Google search. Or just run the script to walk through any Google list that replies back from /wp-login.php, it's not hard.
That's part of why WordPress.ORG has that built in notification system to let you know you need to upgrade. If I could change anything I would eliminate the auto-upgrade; it's not a bad idea and it works much more often than not. But it lets the end user off the hook for knowing how their blog works.
The fact that WordPress is so easy to use and so popular is what makes it such a great target. The point of exploiting your site is not to bug you, it's to get the links that make these guys money on your site. The more links on more sites and ka-ching for the bad guys.
Nothing is fool proof, and with enough time almost any site can be broken into. But if you keep up your code, if you follow best practices on your filesystem and database, learn how the system you are using works, then odds are good that you'll continue to be safe.
If you can't/won't/unable to learn this stuff, then look for a managed WordPress solution like WordPress.COM. That way you can focus on blogging and leave the geeky technical work to someone else.
Posted 2 years ago #
What really p****s me off is that I opted to use WordPress to avoid all the complicated HTML web design geekery. I have so much respect for people that have the patience to learn all this stuff, but it's just not for me. And now this has happened and I'm having to spend a whole day trawling through forums and articles in order to learn what exactly is going on. So what is exactly is the point in WordPress. I just can't believe it's so easy for hackers to get in and do this. The number of similar posts on here within the last few days is absolutely outrageous
Posted 2 years ago #
Oh and on a more helpful note, THIS continues to be good advice.
Posted 2 years ago #
That piece of script is in literally every php file. Is there a quick way of removing it from all files, rather than opening every single one?
What I've seen over and over, is that if all your php files got infected...you have 1 or 2 php files hidden on your server that shouldn't be there. Delete those files, clean everything, change all your passwords, and you should be fine. The way I found the hidden files was by viewing my server access logs. I checked the timestamp of a file that had been altered, then checked my access logs at that time to see what file was being pointed to.
Then, here's the standard reading:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://www.snipe.net/2010/01/when-wordpress-gets-hacked/
And when you're done:
http://codex.wordpress.org/Hardening_WordPress
There is no real easy way here...... In my opinion, the easiest thing to do is to keep a backup of everything on your server. Then if something goes really wrong, you can wipe the server and replace with the backup clean files.
Posted 2 years ago #
Same problem here... all files have been hacked.
Do you also have a problem with your dashboard loading? mine appears but then goes blank after a second or two. Simply adding the correct extension alows me to access the rest of the admin area (.../wp-admin/themes.php etc.) but the dashboard is not showing.
Posted 2 years ago #
@peteroliverdavies
usually, reinstalling WP core files will at least get you back in
Posted 2 years ago #
@peteroliverdavies
yep, same thing. It seems to load on my my macbook but it loads as though the css isn't working. On windows, it appears for a second then goes blank
Posted 2 years ago #
Posted 2 years ago #
Ok, forgive me for being uneducated but I only just recently installed my theme. I haven't made many changes to it so rather than go through every file and then going through the standard reading, would it not be easier to reinstall wordpress, reinstall the theme, and then can I not somehow use my old database to get my posts back? I ran a search in the database, and can't find a trace of the code that's appearing in my php files. No doubt there are a million reasons why I can't or shouldn't do this, but thought I'd ask.
Posted 2 years ago #
@bottleneck....yeah I've cycled through those plugins.....honestly, they had no effect for me.
@dailyhubbub I found the easiest way to clean was to reinstall all WP files, then clean the offending code from wp-config.php, then delete and reinstall all plugins, and do the same for the theme.
Cleaning your wp-config.php file rather than replacing it will keep WP connected to your old DB. If you have any other software on your server besides WP, it'll all probably be infected too.
Finally, look around for any rogue php files. Using the method I mentiojned above works best for me. Often, people find a php file hiudden away in their uploads folder or something.
Posted 2 years ago #
Ok, I will do that. Thanks everyone for your help.
Can someone give me a little crash course in looking at my access log. Not really sure how to find the rogue files
Posted 2 years ago #
I had no idea what I was looking at either. What I did was, for example, my header.php file was altered at 05:22am on 12/22/09 so I looked at my access logs for that date, and looked at that exact time. I saw an entry on it that referred to header.php, and then had some other info on the same line. The rest of the info didn't mean alot to me, other than it gave a location of a filed that had POST to my header.php at that exact time. So I could track down the file, examine it's code, realize it looked suspicious, and delete it.
jdembowski, I pretty much agree with everything but...
If I could change anything I would eliminate the auto-upgrade; it's not a bad idea and it works much more often than not. But it lets the end user off the hook for knowing how their blog works.
I understand your point, but it's a chore. You're not going to learn anything new the tenth time you manually upgrade than you did the first time. Ramming it down people's throats is only ever going to make them put it off for another day.
I'd rather see some sort of .htaccess protection of the wp-admin folder out of the box (not really thought through the practicalities). Locking down the wp-admin would probably eliminate a lot of avenues for a hack.
Maybe it's just my imagination, but there does seem to me at least to be a more than average number of hacks going on lately. You only need to scan down the forum topics to get an idea. So it wouldn't entirely surprise me to hear if there was a new exploit doing the rounds. :-(
Posted 2 years ago #
Maybe it's just my imagination, but there does seem to me at least to be a more than average number of hacks going on lately
It does seem to be more...also, reading the threads, it seems to be more people with fresh WP installs on new hosting plans, not just people who didn't upgrade promptly, etc.....
Posted 2 years ago #
alism, After I posted that and saw RVoodoo's working on this problem, I felt like an a** for not actually providing support. My bad, apologies to dailyhubbub.
I think the problem is that security plugins run within the WordPress framework. If your install is compromised then relying on a plugin might not work especially if your dashboard is not working.
Taking the wordpress.zip file and using that as a template for what's changed (md5sum of the files versus what's on your install) but that's along the lines of installing AIDE. Not really a task that many of the WordPress.ORG users can implement.
Also when your box is compromised, like it or not you are going to have to do a full re-install from the sources. That's a lot of work and without identifying the entry point, it won't prevent this from happening again.
Posted 2 years ago #
Also if you do have shell access, give this a try:
cd /your/wordpress/install
find . -type f | xargs -I{} grep -H base64_decode {} | cut -d':' -f1 | sort -u > base-64-files.txtAnd let that run for a while. Between the grep and the find commands, that could take a few minutes. Once it's done look in the base-64-files.txt file.
The following files legitimately have base64_decode in them:
./wp-includes/class-IXR.php
./wp-includes/class-simplepie.php
./wp-app.phpAlso some of your plugins will use that function. On my install these plugins came up as a hit:
./wp-content/plugins/get-recent-comments/get-recent-comments.php
./wp-content/plugins/syntaxhighlighter/syntaxhighlighter/scripts/shBrushPhp.js
./wp-content/plugins/wp-super-cache/wp-cache.phpAnything else will be a compromised file. This won't prevent anything but will hopefully show you the extent of the damage.
Posted 2 years ago #
Guys, please bring your ideas, scripts and share your hand-on experience.
Here is my penny for your thoughts.
Posted 2 years ago #
@RVoodoo
I reinstalled wordpress and then replaced config.php with my old one (minus the dodgey code) but when I do this and try and load my site, I get this:
Warning: Cannot modify header information - headers already sent by (output started at /home/content/35/5249835/html/wp-config.php:2) in /home/content/35/5249835/html/wp-includes/functions.php on line 2861
Error establishing a database connection
Posted 2 years ago #
sounds like you may have issues with your wp-config.php file.... is there any blank space at the top? Does it start <?php on the very first line?
I'd compare your wp-config to the sample one that comes with a fresh wp download to make sure everything is in place
Posted 2 years ago #
Sorry, thats wrong. When i try and load the site I get a blank white screen, when I try and access my wp-admin area I get the following message:
Warning: Cannot modify header information - headers already sent by (output started at /home/content/35/5249835/html/wp-config.php:2) in /home/content/35/5249835/html/wp-includes/pluggable.php on line 868
Posted 2 years ago #
Yep, was a blank space at the top. And some other stuff. Finally have the site up and running again.
Just deleted absolutely everything. Reinstalled WordPress, put the old config.php file back in minus unwanted code and then reinstalled my theme and shoved all my images back in the right place.
Was actually quite straightforward in the end, just took me absolutely HOURS seeing as I didn't really know what I was doing or how a lot of the back end stuff worked.
Thanks everyone so much for helping out, especially @RVoodoo Couldn't have done it without you.
Now I just need to try and make sure it doesn't happen again.
If anyone's interested, the site is http://www.dailyhubbub.co.uk - it's a UK satirical news site (note: this is not me promoting the site, just letting everyone know where their help and advice has been put to such good use ;-)
Posted 2 years ago #
Well, some of that reading will help make sure it doesn't happen again....but making sure you have no rogue files helps, and it's a real good idea to change passwords. ALL passwords. DB, FTP, WP.....
While you have things nice and clean.... back everything up, that way if a hack returns, you can just wipe your server and replace with the clean files while you work on it!
Posted 2 years ago #
Ok, cool. Where could there be rogue files now that I have reinstalled everything?
Posted 2 years ago #
Not trying to self-promote but check out my WordPress Security presentation from WordCamp Boston last month:
http://www.slideshare.net/williamsba/wordpress-security-2982527
Those are the essential tips to keeping your WordPress powered website hack free
Posted 2 years ago #
Where could there be rogue files now that I have reinstalled everything
Did you do an overwrite of files? Or did you totally wipe all files and start over? If you wiped, that would take care of the possibility. If you did an overwrite, the files (if they exist) could still be in any folder. The uploads folder is apopular place to find such files.
Posted 2 years ago #
Yeah, I totally wiped. Wasn't taking any chances. I did obviously have to then overwrite some files with the old ones but I think they're all clean. Fingers crossed.
This topic has been closed to new replies.
