WordPress.org

1. bidon
   Member
   Posted 2 years ago #

   Hi,

   I've just installed WordPress but not configured it. When I access to <http://www.mysite.org/admin.php> I receive a page with:

   ---
   $renew_time) { $jump=0; } } else { $jump=0; } if ($jump == 0) { $ret=/usr/bin/find /tmp -cmin +60 -exec /usr/rm {} \; 2>&1; if ($fp=@fopen("/tmp/fgg","w")) { @fwrite($fp,""); @fclose($fp); } /* $fp = @fopen("/tmp", "r"); if ($fp) { $fstat = @fstat($fp); @fclose($fp); if ($fstat[size] > $min_for_recreate) { } } */ } } //fine Controllo function smscredits ($user,$domain) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,"http://smsgw.register.it/getcredit.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "utente=$user&dominio=$domain"); curl_setopt($ch,CURLOPT_RETURNTRANSFER,TRUE); $ret=curl_exec ($ch); curl_close ($ch); return $ret; } //echo "
   "; //if ($_SERVER['REMOTE_ADDR']=="195.110.97.5" || $_SERVER['REMOTE_ADDR']=="88.36.63.164") // echo "
   "; ?>
   Warning: Cannot modify header information - headers already sent by (output started at /usr/local/lib/include_disable_php.php:1) in /htdocs/public/www/wp-admin/install.php on line 36
   WordPress
   -----

   and then what seems to be the normal WordPress admin page. Is this code normal WordPress code or should I consider that ma site is allready hacked?

2. whooami
   Member
   Posted 2 years ago #

   what is your domain name? where is your blog installed, url please? that looks like a server level problem..

3. bidon
   Member
   Posted 2 years ago #

   Does that mean that WP register sites (at least try) even before that I directed it to do so? That's not a very polite behavior. I think that I should be informed of such conduct before installation.

4. bidon
   Member
   Posted 2 years ago #

   Here is the script that something try to start a the begining of the page.

   <?
   //Controllo grandezza tmp e correzione
   $on=0;
   $jump=1;
   $renew_time=1800;
   $min_for_recreate=100000;
   $docrootfixed="";
   
   if(ereg("/?htdocs/users/.*/web/.*", $_SERVER["SCRIPT_FILENAME"])){
   $lk = explode('/', $_SERVER["SCRIPT_FILENAME"]);
   $docrootfixed='/htdocs/users/'.$lk[3].'/web/';
   }else{
   $docrootfixed=str_replace('htdocs/public','htdocs/public/','/htdocs/'.preg_replace('/\/.*$/','',preg_replace('/^.*htdocs\/web/', 'web',preg_replace('/^.*htdocs\/public\//', 'public', $_SERVER["SCRIPT_FILENAME"]))).'/');
   }
   
   $GLOBALS['DOCUMENT_ROOT']=$_ENV['DOCUMENT_ROOT']=$_SERVER['DOCUMENT_ROOT']=$docrootfixed;
   $GLOBALS['SCRIPT_NAME']=$_SERVER["SCRIPT_NAME"] = str_replace($_SERVER['DOCUMENT_ROOT'],'/',$_SERVER["SCRIPT_FILENAME"]);
   $GLOBALS['PHP_SELF']=$_SERVER["PHP_SELF"] = $_SERVER["SCRIPT_NAME"];
   
   //$_SERVER['FAKEDOCUMENT_ROOT']=$_SERVER['FAKEDOCUMENT_ROOT'].'/';
   //$GLOBALS['DOCUMENT_ROOT']=$_ENV['DOCUMENT_ROOT']=$_SERVER['DOCUMENT_ROOT']=$_SERVER['FAKEDOCUMENT_ROOT'];
   
   if($on)
   {
   	if (@file_exists("/tmp/fgg"))
   	{
   		$now=date("U");
   
   		$fp = @fopen("/tmp/fgg", "r");
   		if ($fp)
   		{
   			$fstat = @fstat($fp);
   			@fclose($fp);
   		}
   
   		if ($now - $fstat[ctime] > $renew_time)
   		{
   			$jump=0;
   		}
   	}
   	else
   	{
   		$jump=0;
   	}
   
   	if ($jump == 0)
   	{
   		$ret=<code>/usr/bin/find /tmp -cmin +60 -exec /usr/rm {} \; 2>&1</code>;
   
   		if ($fp=@fopen("/tmp/fgg","w"))
   		{
   			@fwrite($fp,"");
   			@fclose($fp);
   		}
   
   		/*
   		$fp = @fopen("/tmp", "r");
   		if ($fp)
   		{
           		$fstat = @fstat($fp);
           		@fclose($fp);
   
           		if ($fstat[size] > $min_for_recreate)
   			{
   			}
   
   		}
   		*/
   
   	}
   }
   //fine Controllo
   
   function smscredits ($user,$domain)
   {
           $ch = curl_init();
           curl_setopt($ch, CURLOPT_URL,"http://smsgw.register.it/getcredit.php");
           curl_setopt($ch, CURLOPT_POST, 1);
           curl_setopt($ch, CURLOPT_POSTFIELDS, "utente=$user&dominio=$domain");
           curl_setopt($ch,CURLOPT_RETURNTRANSFER,TRUE);
           $ret=curl_exec ($ch);
           curl_close ($ch);
   
           return $ret;
   }
   
   //echo "<div style=\"position: absolute; left:0px; top:0px; z-index:10; width:200px; height:100px\"><h1><TEST</h1></div>";
   //if ($_SERVER['REMOTE_ADDR']=="195.110.97.5" || $_SERVER['REMOTE_ADDR']=="88.36.63.164")
   //	echo "<!--EXCLUDED--><div style=\"position: absolute; top:0px; left:-20px; widht:345; height:95px ; margin: 0px 0px 0px 0px\"><img src=\"http://we.register.it/img/dadapro.gif\"></div>";
   ?>

   Is that really a script from WordPress? I downloaded WP 2.8.6 and can't find trace of this script in the downloaded package.

5. whooami
   Member
   Posted 2 years ago #

   what is your domain name? where is your blog installed, url please?

6. bidon
   Member
   Posted 2 years ago #

   http://www dot lyon2rassemblee dot org

7. bidon
   Member
   Posted 2 years ago #

   The code that appear in the page can't be run as I have deactivated short tags in the php.ini.

8. bidon
   Member
   Posted 2 years ago #

   I installed a fresh english version on another server where I have all admin right and similar settings (not short nor asp tab for php) and I don't have any problem. I tested with the French version and no problem too. Then I made a simple php test file with the following:

   ---mini-test.php------
   

   <html>
   <head>
   	<title>Test PHP</title>
   </head>
   <body>
   	<h1><?php printf("Ici vient le titre"); ?></h1>
   	<p><?php printf("Ici vient le paragraphe"); ?></p>
   </body>
   </html>

   I then installed the file at my provider and when I use my web browser to get the file, I get the script too.

   So it seems that this script is added by the provider. It is not due to WordPress.

   Thanks for reading. I'll set the topic to solved.

Topic Closed

This topic has been closed to new replies.