Reading Hacker Code

  • I looked at the WP-config.php file on a domain that was hacked fifteen months ago. It has about one hundred lines of hacker code. I renamed it since the site is dead. Where can I paste the code to have it interpreted? I visited a few forums dealing with hacked code but it was of no help. I’m really curious what they tried to do. I have another site or two to check.

Viewing 7 replies - 1 through 7 (of 7 total)

  • You can post it in https://pastebin.com/ if you like and then just link to it. Someone might see it and be able to comment on it. Best not to post any of the code here, however.

    Thread Starter SickSquirrel

    (@sicksquirrel)

    Thanks. I thought of doing that but feared giving wanna-be script kiddies a tool. Instead, can I do that but send the link in private message? Might still be dangerous but I’ll check to see if they’ve posted here before

    I really don’t think it’s that big an issue. Chances are pretty high that what you’ve got is an example of some already known exploit attempt. If you are going to paste the link here, put it between back-ticks: https://pastebin.com/xxxxxx

    Thread Starter SickSquirrel

    (@sicksquirrel)

    Thanks. Figured I’d err on the side of caution. I edited the config file to delete my domain and db info. I also noticed that the middle section has new code.

    https://pastebin.com/Ku05VwPy

    Thread Starter SickSquirrel

    (@sicksquirrel)

    My ticks were wrong. Could you please correct it? Thanks

    There’s nothing there that’s going to hurt anyone by clicking on it. A first glance, it looks like there’s probably more than one method of obfuscation including some character substitution. Some of it seems to suggest an attempt to hide itself by turning off error reporting and then probably calling other functions from elsewhere. It’s probably not worth an all out attempt to make it human readable. Just make sure the entire site and database has been cleaned (if it’s still in use) and that you implement as many security precautions as possible going forward. That should minimize the possibility of similar intrusions on any of your sites and servers. Chances are you have reviewed the info in these links before, but I’ll leave leave them here for a reference:

    In the event someone thinks they may have reason to suspect an intrusion, they should carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    • This reply was modified 8 years, 3 months ago by Clayton James.
    Thread Starter SickSquirrel

    (@sicksquirrel)

    Thanks. The sites load a blank page. The db of the largest site was fine. I have someone working on one but it’s been a month already

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Reading Hacker Code’ is closed to new replies.