WordPress.org

Support

Support » Installation » [Resolved] wordpress already hacked?

[Resolved] wordpress already hacked?

  • Hi,

    I’ve just installed WordPress but not configured it. When I access to <http://www.mysite.org/admin.php&gt; I receive a page with:


    $renew_time) { $jump=0; } } else { $jump=0; } if ($jump == 0) { $ret=/usr/bin/find /tmp -cmin +60 -exec /usr/rm {} \; 2>&1; if ($fp=@fopen(“/tmp/fgg”,”w”)) { @fwrite($fp,””); @fclose($fp); } /* $fp = @fopen(“/tmp”, “r”); if ($fp) { $fstat = @fstat($fp); @fclose($fp); if ($fstat[size] > $min_for_recreate) { } } */ } } //fine Controllo function smscredits ($user,$domain) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,”http://smsgw.register.it/getcredit.php”); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, “utente=$user&dominio=$domain”); curl_setopt($ch,CURLOPT_RETURNTRANSFER,TRUE); $ret=curl_exec ($ch); curl_close ($ch); return $ret; } //echo “
    “; //if ($_SERVER[‘REMOTE_ADDR’]==”195.110.97.5″ || $_SERVER[‘REMOTE_ADDR’]==”88.36.63.164”) // echo “
    “; ?>
    Warning: Cannot modify header information – headers already sent by (output started at /usr/local/lib/include_disable_php.php:1) in /htdocs/public/www/wp-admin/install.php on line 36
    WordPress
    —–

    and then what seems to be the normal WordPress admin page. Is this code normal WordPress code or should I consider that ma site is allready hacked?

Viewing 7 replies - 1 through 7 (of 7 total)
  • whooami

    @whooami

    Member

    what is your domain name? where is your blog installed, url please? that looks like a server level problem..

    Does that mean that WP register sites (at least try) even before that I directed it to do so? That’s not a very polite behavior. I think that I should be informed of such conduct before installation.

    Here is the script that something try to start a the begining of the page.

    <?
    //Controllo grandezza tmp e correzione
    $on=0;
    $jump=1;
    $renew_time=1800;
    $min_for_recreate=100000;
    $docrootfixed="";
    
    if(ereg("/?htdocs/users/.*/web/.*", $_SERVER["SCRIPT_FILENAME"])){
    $lk = explode('/', $_SERVER["SCRIPT_FILENAME"]);
    $docrootfixed='/htdocs/users/'.$lk[3].'/web/';
    }else{
    $docrootfixed=str_replace('htdocs/public','htdocs/public/','/htdocs/'.preg_replace('/\/.*$/','',preg_replace('/^.*htdocs\/web/', 'web',preg_replace('/^.*htdocs\/public\//', 'public', $_SERVER["SCRIPT_FILENAME"]))).'/');
    }
    
    $GLOBALS['DOCUMENT_ROOT']=$_ENV['DOCUMENT_ROOT']=$_SERVER['DOCUMENT_ROOT']=$docrootfixed;
    $GLOBALS['SCRIPT_NAME']=$_SERVER["SCRIPT_NAME"] = str_replace($_SERVER['DOCUMENT_ROOT'],'/',$_SERVER["SCRIPT_FILENAME"]);
    $GLOBALS['PHP_SELF']=$_SERVER["PHP_SELF"] = $_SERVER["SCRIPT_NAME"];
    
    //$_SERVER['FAKEDOCUMENT_ROOT']=$_SERVER['FAKEDOCUMENT_ROOT'].'/';
    //$GLOBALS['DOCUMENT_ROOT']=$_ENV['DOCUMENT_ROOT']=$_SERVER['DOCUMENT_ROOT']=$_SERVER['FAKEDOCUMENT_ROOT'];
    
    if($on)
    {
    	if (@file_exists("/tmp/fgg"))
    	{
    		$now=date("U");
    
    		$fp = @fopen("/tmp/fgg", "r");
    		if ($fp)
    		{
    			$fstat = @fstat($fp);
    			@fclose($fp);
    		}
    
    		if ($now - $fstat[ctime] > $renew_time)
    		{
    			$jump=0;
    		}
    	}
    	else
    	{
    		$jump=0;
    	}
    
    	if ($jump == 0)
    	{
    		$ret=<code>/usr/bin/find /tmp -cmin +60 -exec /usr/rm {} \; 2>&1</code>;
    
    		if ($fp=@fopen("/tmp/fgg","w"))
    		{
    			@fwrite($fp,"");
    			@fclose($fp);
    		}
    
    		/*
    		$fp = @fopen("/tmp", "r");
    		if ($fp)
    		{
            		$fstat = @fstat($fp);
            		@fclose($fp);
    
            		if ($fstat[size] > $min_for_recreate)
    			{
    			}
    
    		}
    		*/
    
    	}
    }
    //fine Controllo
    
    function smscredits ($user,$domain)
    {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL,"http://smsgw.register.it/getcredit.php");
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, "utente=$user&dominio=$domain");
            curl_setopt($ch,CURLOPT_RETURNTRANSFER,TRUE);
            $ret=curl_exec ($ch);
            curl_close ($ch);
    
            return $ret;
    }
    
    //echo "<div style=\"position: absolute; left:0px; top:0px; z-index:10; width:200px; height:100px\"><h1><TEST</h1></div>";
    //if ($_SERVER['REMOTE_ADDR']=="195.110.97.5" || $_SERVER['REMOTE_ADDR']=="88.36.63.164")
    //	echo "<!--EXCLUDED--><div style=\"position: absolute; top:0px; left:-20px; widht:345; height:95px ; margin: 0px 0px 0px 0px\"><img src=\"http://we.register.it/img/dadapro.gif\"></div>";
    ?>

    Is that really a script from WordPress? I downloaded WP 2.8.6 and can’t find trace of this script in the downloaded package.

    whooami

    @whooami

    Member

    what is your domain name? where is your blog installed, url please?

    http://www dot lyon2rassemblee dot org

    The code that appear in the page can’t be run as I have deactivated short tags in the php.ini.

    I installed a fresh english version on another server where I have all admin right and similar settings (not short nor asp tab for php) and I don’t have any problem. I tested with the French version and no problem too. Then I made a simple php test file with the following:

    —mini-test.php——

    <html>
    <head>
    	<title>Test PHP</title>
    </head>
    <body>
    	<h1><?php printf("Ici vient le titre"); ?></h1>
    	<p><?php printf("Ici vient le paragraphe"); ?></p>
    </body>
    </html>

    I then installed the file at my provider and when I use my web browser to get the file, I get the script too.

    So it seems that this script is added by the provider. It is not due to WordPress.

    Thanks for reading. I’ll set the topic to solved.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘[Resolved] wordpress already hacked?’ is closed to new replies.
Skip to toolbar