Help me interpret malicious code from hack?

  • Steve

    (@steveschwartz)


    11 years, 11 months ago

    I have WordFence installed and last night I received an email that said the following:

    “This alert was generated by WordFence on “” at Tuesday 9th of April 2013 at 09:55:23 PM

    A user with username “wp-system” who has administrator access signed in to your WordPress site. User IP: 184.168.152.218
    User hostname: p3nlhg693.shr.prod.phx3.secureserver.net”

    There has never been an administrator account named wp-system. I neutered the “admin” account immediately upon installing the site months ago. My username is unique and my password is very long and hard to guess. After getting the warning email from WordFence, I went to my site and noticed that the custom image for the header was gone. I tried to navigate to various pages on the site and they all generated 404 errors.

    I logged in my administrator account and noticed an extra file in the child theme called entry-meta.php

    Here’s the code:

    https://pastebin.com/rxCAwevr

    There was also an extra PHP file in the parent theme called Entry-nav.php. It had equally bad looking code in it. I have a backup of everything and I’ll be able to restore the site. My question is, based on the info above, can anyone help me diagnose how they got in, and what that code does? Thanks ahead of time for your help. The site is here

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Help me interpret malicious code from hack?’ is closed to new replies.

Tags