WordPress hacked with a strange file hidden in the includes folder (8 posts)

  1. mrshampoo
    Posted 3 years ago #

    I recently found out that my site was hacked and went through various steps but it still kept adding eval(base64_decode( junk in my wp-config.php file. It also included ___DATADIRipconfig.bin and folders that kept being uploaded on a daily basis.

    Today I found this scary looking file after spending hours trying to clean my site from being hacked. The filename is arch.php and I've searched everywhere but couldn't find what the purpose of the file was, so I of course deleted it but wanted to share this bit of info to anyone else who might be going through the same thing I went through.

    The file is located in: wp-includes/Text/Diff/Engine. It's a rather large file and uses the zipfile_mod class to create files/directories with base64 characters. Below is a snippet of the code:

    function wsoLogin() {
    	die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
    if(!empty($auth_pass)) {
        if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
            WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
        if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
    function WSOsetcookie($k, $v) {
        $_COOKIE[$k] = $v;
        setcookie($k, $v);

    If it continues or if I find anything else, I'll add more info.

  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. The Hack Repair Guy
    Posted 3 years ago #

    A fairly common event nowadays, particularly when a website has been left outdated version or plugin wise.

    Make sure to likewise change every password you can find, as well as complete updates on everything within your website account space.

  4. mrshampoo
    Posted 3 years ago #

    I've changed my passwords for both wordpress admin, MySQL, and FTP. I've also made a backup of my database and did a search for eval and base64 there. Nothing in the active plugin values either.

    I've also kept both wordpress and plugins up to date whenever possible. Unfortunately the wp-config.php got updated again even when I changed permissions to 440.

    Looking at the wp-config.php, they've added this in and removed much of the standard code. These people are relentless.

    /* Stop editing */
    $server = DB_HOST;
    $loginsql = DB_USER;
    $passsql = DB_PASSWORD;
    $base = DB_NAME;

    I'll go through the links that I haven't visited yet and see if there's anything else I can add. Thanks for all your help so far.

  5. esmi
    Forum Moderator
    Posted 3 years ago #

    Have you spoken to your hosts about this? They might be able to help you track down how the hacker is gaining entry.

  6. mrshampoo
    Posted 3 years ago #

    Good thinking, I've just sent them a message about this.

  7. JohnS0N
    Posted 3 years ago #

    I have this same shit going on... and lost all rankings because of it. I do not use wordpress though, but a custom php website, mostly static though.

  8. ad-min
    Posted 3 years ago #

    This one below is a php script that may help.
    It searches for a particular string inside yourfiles.
    Replace "base64_decode" wirh anything you want and it will search all your files for that string and it will show those that have it to you.

    This is one way to find if any of your files have been modified by a hacker.

    <html><head><title>Find String</title></head><body>
    ini_set('max_execution_time', '0');
    ini_set('set_time_limit', '0');
    function find_files($seed) {
      if(! is_dir($seed)) return false;
      $files = array();
      $dirs = array($seed);
      while(NULL !== ($dir = array_pop($dirs)))
          if($dh = opendir($dir))
              while( false !== ($file = readdir($dh)))
                  if($file == '.' || $file == '..') continue;
                  $path = $dir . '/' . $file;
                  if(is_dir($path)) {    $dirs[] = $path; }
                  else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) { check_files($path); }}
    function check_files($this_file) {
       $str_to_find='base64_decode'; // the string(code/text) to search for
       if(!($content = file_get_contents($this_file))) { echo("<p>Could not check $this_file</p>\n"); }
       else { if(stristr($content, $str_to_find)) { echo("<p>$this_file -> contains $str_to_find</p>\n"); }}

Topic Closed

This topic has been closed to new replies.

About this Topic