Support » Fixing WordPress » WordPress hacked with a strange file hidden in the includes folder

  • I recently found out that my site was hacked and went through various steps but it still kept adding eval(base64_decode( junk in my wp-config.php file. It also included ___DATADIRipconfig.bin and folders that kept being uploaded on a daily basis.

    Today I found this scary looking file after spending hours trying to clean my site from being hacked. The filename is arch.php and I’ve searched everywhere but couldn’t find what the purpose of the file was, so I of course deleted it but wanted to share this bit of info to anyone else who might be going through the same thing I went through.

    The file is located in: wp-includes/Text/Diff/Engine. It’s a rather large file and uses the zipfile_mod class to create files/directories with base64 characters. Below is a snippet of the code:

    function wsoLogin() {
    	die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
    if(!empty($auth_pass)) {
        if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
            WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
        if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
    function WSOsetcookie($k, $v) {
        $_COOKIE[$k] = $v;
        setcookie($k, $v);

    If it continues or if I find anything else, I’ll add more info.

Viewing 7 replies - 1 through 7 (of 7 total)
  • esmi


    Forum Moderator

    A fairly common event nowadays, particularly when a website has been left outdated version or plugin wise.

    Make sure to likewise change every password you can find, as well as complete updates on everything within your website account space.

    I’ve changed my passwords for both wordpress admin, MySQL, and FTP. I’ve also made a backup of my database and did a search for eval and base64 there. Nothing in the active plugin values either.

    I’ve also kept both wordpress and plugins up to date whenever possible. Unfortunately the wp-config.php got updated again even when I changed permissions to 440.

    Looking at the wp-config.php, they’ve added this in and removed much of the standard code. These people are relentless.

    /* Stop editing */
    $server = DB_HOST;
    $loginsql = DB_USER;
    $passsql = DB_PASSWORD;
    $base = DB_NAME;

    I’ll go through the links that I haven’t visited yet and see if there’s anything else I can add. Thanks for all your help so far.



    Forum Moderator

    Have you spoken to your hosts about this? They might be able to help you track down how the hacker is gaining entry.

    Good thinking, I’ve just sent them a message about this.

    I have this same shit going on… and lost all rankings because of it. I do not use wordpress though, but a custom php website, mostly static though.

    This one below is a php script that may help.
    It searches for a particular string inside yourfiles.
    Replace “base64_decode” wirh anything you want and it will search all your files for that string and it will show those that have it to you.

    This is one way to find if any of your files have been modified by a hacker.

    <html><head><title>Find String</title></head><body>
    ini_set('max_execution_time', '0');
    ini_set('set_time_limit', '0');
    function find_files($seed) {
      if(! is_dir($seed)) return false;
      $files = array();
      $dirs = array($seed);
      while(NULL !== ($dir = array_pop($dirs)))
          if($dh = opendir($dir))
              while( false !== ($file = readdir($dh)))
                  if($file == '.' || $file == '..') continue;
                  $path = $dir . '/' . $file;
                  if(is_dir($path)) {    $dirs[] = $path; }
                  else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) { check_files($path); }}
    function check_files($this_file) {
       $str_to_find='base64_decode'; // the string(code/text) to search for
       if(!($content = file_get_contents($this_file))) { echo("<p>Could not check $this_file</p>\n"); }
       else { if(stristr($content, $str_to_find)) { echo("<p>$this_file -> contains $str_to_find</p>\n"); }}
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘WordPress hacked with a strange file hidden in the includes folder’ is closed to new replies.