WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] wordpress already hacked? (8 posts)

  1. bidon
    Member
    Posted 4 years ago #

    Hi,

    I've just installed WordPress but not configured it. When I access to <http://www.mysite.org/admin.php> I receive a page with:

    ---
    $renew_time) { $jump=0; } } else { $jump=0; } if ($jump == 0) { $ret=/usr/bin/find /tmp -cmin +60 -exec /usr/rm {} \; 2>&1; if ($fp=@fopen("/tmp/fgg","w")) { @fwrite($fp,""); @fclose($fp); } /* $fp = @fopen("/tmp", "r"); if ($fp) { $fstat = @fstat($fp); @fclose($fp); if ($fstat[size] > $min_for_recreate) { } } */ } } //fine Controllo function smscredits ($user,$domain) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,"http://smsgw.register.it/getcredit.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "utente=$user&dominio=$domain"); curl_setopt($ch,CURLOPT_RETURNTRANSFER,TRUE); $ret=curl_exec ($ch); curl_close ($ch); return $ret; } //echo "
    "; //if ($_SERVER['REMOTE_ADDR']=="195.110.97.5" || $_SERVER['REMOTE_ADDR']=="88.36.63.164") // echo "
    "; ?>
    Warning: Cannot modify header information - headers already sent by (output started at /usr/local/lib/include_disable_php.php:1) in /htdocs/public/www/wp-admin/install.php on line 36
    WordPress
    -----

    and then what seems to be the normal WordPress admin page. Is this code normal WordPress code or should I consider that ma site is allready hacked?

  2. whooami
    Member
    Posted 4 years ago #

    what is your domain name? where is your blog installed, url please? that looks like a server level problem..

  3. bidon
    Member
    Posted 4 years ago #

    Does that mean that WP register sites (at least try) even before that I directed it to do so? That's not a very polite behavior. I think that I should be informed of such conduct before installation.

  4. bidon
    Member
    Posted 4 years ago #

    Here is the script that something try to start a the begining of the page.

    <?
    //Controllo grandezza tmp e correzione
    $on=0;
    $jump=1;
    $renew_time=1800;
    $min_for_recreate=100000;
    $docrootfixed="";
    
    if(ereg("/?htdocs/users/.*/web/.*", $_SERVER["SCRIPT_FILENAME"])){
    $lk = explode('/', $_SERVER["SCRIPT_FILENAME"]);
    $docrootfixed='/htdocs/users/'.$lk[3].'/web/';
    }else{
    $docrootfixed=str_replace('htdocs/public','htdocs/public/','/htdocs/'.preg_replace('/\/.*$/','',preg_replace('/^.*htdocs\/web/', 'web',preg_replace('/^.*htdocs\/public\//', 'public', $_SERVER["SCRIPT_FILENAME"]))).'/');
    }
    
    $GLOBALS['DOCUMENT_ROOT']=$_ENV['DOCUMENT_ROOT']=$_SERVER['DOCUMENT_ROOT']=$docrootfixed;
    $GLOBALS['SCRIPT_NAME']=$_SERVER["SCRIPT_NAME"] = str_replace($_SERVER['DOCUMENT_ROOT'],'/',$_SERVER["SCRIPT_FILENAME"]);
    $GLOBALS['PHP_SELF']=$_SERVER["PHP_SELF"] = $_SERVER["SCRIPT_NAME"];
    
    //$_SERVER['FAKEDOCUMENT_ROOT']=$_SERVER['FAKEDOCUMENT_ROOT'].'/';
    //$GLOBALS['DOCUMENT_ROOT']=$_ENV['DOCUMENT_ROOT']=$_SERVER['DOCUMENT_ROOT']=$_SERVER['FAKEDOCUMENT_ROOT'];
    
    if($on)
    {
    	if (@file_exists("/tmp/fgg"))
    	{
    		$now=date("U");
    
    		$fp = @fopen("/tmp/fgg", "r");
    		if ($fp)
    		{
    			$fstat = @fstat($fp);
    			@fclose($fp);
    		}
    
    		if ($now - $fstat[ctime] > $renew_time)
    		{
    			$jump=0;
    		}
    	}
    	else
    	{
    		$jump=0;
    	}
    
    	if ($jump == 0)
    	{
    		$ret=<code>/usr/bin/find /tmp -cmin +60 -exec /usr/rm {} \; 2>&1</code>;
    
    		if ($fp=@fopen("/tmp/fgg","w"))
    		{
    			@fwrite($fp,"");
    			@fclose($fp);
    		}
    
    		/*
    		$fp = @fopen("/tmp", "r");
    		if ($fp)
    		{
            		$fstat = @fstat($fp);
            		@fclose($fp);
    
            		if ($fstat[size] > $min_for_recreate)
    			{
    			}
    
    		}
    		*/
    
    	}
    }
    //fine Controllo
    
    function smscredits ($user,$domain)
    {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL,"http://smsgw.register.it/getcredit.php");
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, "utente=$user&dominio=$domain");
            curl_setopt($ch,CURLOPT_RETURNTRANSFER,TRUE);
            $ret=curl_exec ($ch);
            curl_close ($ch);
    
            return $ret;
    }
    
    //echo "<div style=\"position: absolute; left:0px; top:0px; z-index:10; width:200px; height:100px\"><h1><TEST</h1></div>";
    //if ($_SERVER['REMOTE_ADDR']=="195.110.97.5" || $_SERVER['REMOTE_ADDR']=="88.36.63.164")
    //	echo "<!--EXCLUDED--><div style=\"position: absolute; top:0px; left:-20px; widht:345; height:95px ; margin: 0px 0px 0px 0px\"><img src=\"http://we.register.it/img/dadapro.gif\"></div>";
    ?>

    Is that really a script from WordPress? I downloaded WP 2.8.6 and can't find trace of this script in the downloaded package.

  5. whooami
    Member
    Posted 4 years ago #

    what is your domain name? where is your blog installed, url please?

  6. bidon
    Member
    Posted 4 years ago #

    http://www dot lyon2rassemblee dot org

  7. bidon
    Member
    Posted 4 years ago #

    The code that appear in the page can't be run as I have deactivated short tags in the php.ini.

  8. bidon
    Member
    Posted 4 years ago #

    I installed a fresh english version on another server where I have all admin right and similar settings (not short nor asp tab for php) and I don't have any problem. I tested with the French version and no problem too. Then I made a simple php test file with the following:

    ---mini-test.php------

    <html>
    <head>
    	<title>Test PHP</title>
    </head>
    <body>
    	<h1><?php printf("Ici vient le titre"); ?></h1>
    	<p><?php printf("Ici vient le paragraphe"); ?></p>
    </body>
    </html>

    I then installed the file at my provider and when I use my web browser to get the file, I get the script too.

    So it seems that this script is added by the provider. It is not due to WordPress.

    Thanks for reading. I'll set the topic to solved.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.