Support » Fixing WordPress » Help Needed: Website Clean or Hacked?

  • Greetings,

    When I was browsing for php files of the Bueno theme via Editor, I have came across php files named like:
    4c52d29df0c6be00235e0dbe03afa9ec.php

    When I searched about it, many posts mentioned that it can be a malware backdoor. So I have scanned the website (www.cookingcookies.net) with every service that is possible (Sucuri and so on) and the results are all clean.

    But I will unrest. This php files with weird names are still there. Is the website hacked? What shall I do? Deleting these weird name files can be a solution? Thanks!

Viewing 10 replies - 1 through 10 (of 10 total)
  • [ removed text ]

    Disregard this please, I remembered hyper-cache files end in .dat and I didn’t realize you said it shows up in the appearance–> edit.

    Hi Patrick,

    I think they are inside the Bueno theme folder. Because when I open Appearance>Editor on WP admin panel, I see them. There are totally 5 php files with weird names. If possible, I can give a screenshot.

    I am really confused!

    When I opened one of them, at the end of the page it says:

    eval(gzinflate(str_rot13(base64_decode($rhs))));
    ?>

    Isn’t Eval a sort of malware code?

    And at the top of one, it says:

    <?php

    // ketek90@gmail.com
    // no malware on this code, you can check it by yourself 😉

    @error_reporting(0);
    @set_time_limit(0);

    WooThemes is a reputable source of themes, at least in my experience. I am 99% certain that file was not there when you downloaded the theme.

    If you navigate to /wp-content/themes/bueno can you find those files?

    It is funny and weird!

    When I connect to the site via FTP, I have checked the /wp-content/themes/bueno and those files are nowhere to be found!

    But when I log into WP backend and when I open Appearance>Editor on WP admin panel, I still see them!

    What does it mean? I am so confused and stressed!

    By the way, Patrick, I agree with you about WooThemes. And when I compare the original theme folder/files to folder/files on FTP there is no difference.

    Yes, I am 99% sure that this is a malware script.

    Sources:

    http://blog.sucuri.net
    and more comprehensive…

    That file needs to be removed ASAP. Who’s your hosting provider? You should get in touch with them and have them investigate. If you’re with hostgator you can submit a ticket to their “security department” for further investigation.

    [Possible work solicitation removed.]

    I have just written to our hosting provider (It is not HostGator) about this topic. Waiting for their answer now.

    I will keep this topic updated. Thank you!

    I was wondering how did it happen? I am using the same plugins more than one year. Same theme more than one year. I always keep everything up to date. Is it this Timthumb issue that is mentioned mostly everywhere?

    I happened to came across with the file thumb.php and changed the code there to;

    define( ‘ALLOW_EXTERNAL’, false );

    and

    deleted everything inside allow sites command;

    $allowedSites = array();

    Here is the link about this issue and solution;

    How To Fix The Security Issue in Timthumb

    I have contacted the hosting provider. They say they have found malicious codes inside the site, some hiding inside the pictures. And they say that online scanning services can not find those traces.

    I have asked a couple of questions and waiting for the answers again.

    I have also discovered the weird named PHP files are inside:
    …/httpdocs/wp-content/themes/bueno/cache

    Is there a way to rescue the site without wiping out it all, only deleting the infected files or picture or whatever?

    What kind of attack is that? I mean, what is its behavior? What does it do to the website visitor or the site itself exactly?

    And, if they wipe out the website and when I load the backup, if the backup is also infected, what will be the difference? Won’t it be infected again?

    I am so confused, I will appreciate answers that will clear my min a bit!

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Help Needed: Website Clean or Hacked?’ is closed to new replies.