WordPress hacked with a strange file hidden in the includes folder

mrshampoo
(@mrshampoo)

11 years, 8 months ago
I recently found out that my site was hacked and went through various steps but it still kept adding eval(base64_decode( junk in my wp-config.php file. It also included ___DATADIRipconfig.bin and folders that kept being uploaded on a daily basis.

Today I found this scary looking file after spending hours trying to clean my site from being hacked. The filename is arch.php and I’ve searched everywhere but couldn’t find what the purpose of the file was, so I of course deleted it but wanted to share this bit of info to anyone else who might be going through the same thing I went through.

The file is located in: wp-includes/Text/Diff/Engine. It’s a rather large file and uses the zipfile_mod class to create files/directories with base64 characters. Below is a snippet of the code:
```
function wsoLogin() {
	die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
}
if(!empty($auth_pass)) {
    if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

    if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
        wsoLogin();
}
function WSOsetcookie($k, $v) {
    $_COOKIE[$k] = $v;
    setcookie($k, $v);
}
```
If it continues or if I find anything else, I’ll add more info.

Viewing 7 replies - 1 through 7 (of 7 total)

esmi
(@esmi)

11 years, 8 months ago

You need to start working your way through these resources:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

The Hack Repair Guy
(@tvcnet)

11 years, 8 months ago

A fairly common event nowadays, particularly when a website has been left outdated version or plugin wise.

Make sure to likewise change every password you can find, as well as complete updates on everything within your website account space.
Thread Starter mrshampoo
(@mrshampoo)

11 years, 8 months ago
I’ve changed my passwords for both wordpress admin, MySQL, and FTP. I’ve also made a backup of my database and did a search for eval and base64 there. Nothing in the active plugin values either.

I’ve also kept both wordpress and plugins up to date whenever possible. Unfortunately the wp-config.php got updated again even when I changed permissions to 440.

Looking at the wp-config.php, they’ve added this in and removed much of the standard code. These people are relentless.
```
/* Stop editing */

$server = DB_HOST;
$loginsql = DB_USER;
$passsql = DB_PASSWORD;
$base = DB_NAME;
```
I’ll go through the links that I haven’t visited yet and see if there’s anything else I can add. Thanks for all your help so far.
esmi
(@esmi)

11 years, 8 months ago

Have you spoken to your hosts about this? They might be able to help you track down how the hacker is gaining entry.

Thread Starter mrshampoo
(@mrshampoo)

11 years, 8 months ago

Good thinking, I’ve just sent them a message about this.

JohnS0N
(@johns0n)

11 years, 8 months ago

I have this same shit going on… and lost all rankings because of it. I do not use wordpress though, but a custom php website, mostly static though.
ad-min
(@ad-min)

11 years, 7 months ago
This one below is a php script that may help.
It searches for a particular string inside yourfiles.
Replace “base64_decode” wirh anything you want and it will search all your files for that string and it will show those that have it to you.

This is one way to find if any of your files have been modified by a hacker.
```
<html><head><title>Find String</title></head><body>
<?php
ini_set('max_execution_time', '0');
ini_set('set_time_limit', '0');
find_files('.');
function find_files($seed) {
  if(! is_dir($seed)) return false;
  $files = array();
  $dirs = array($seed);
  while(NULL !== ($dir = array_pop($dirs)))
    {
      if($dh = opendir($dir))
        {
          while( false !== ($file = readdir($dh)))
            {
              if($file == '.' || $file == '..') continue;
              $path = $dir . '/' . $file;
              if(is_dir($path)) {    $dirs[] = $path; }
              else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) { check_files($path); }}
            }
          closedir($dh);
        }
    }
}
function check_files($this_file) {
   $str_to_find='base64_decode'; // the string(code/text) to search for
   if(!($content = file_get_contents($this_file))) { echo("<p>Could not check $this_file</p>\n"); }
   else { if(stristr($content, $str_to_find)) { echo("<p>$this_file -> contains $str_to_find</p>\n"); }}
   unset($content);
}
?>
</body></html>
```

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘WordPress hacked with a strange file hidden in the includes folder’ is closed to new replies.

WordPress hacked with a strange file hidden in the includes folder

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics