Broken post.php / post-new.php

  • Resolved caracasa

    (@caracasa)


    14 years, 11 months ago

    Hi,
    I have a very strange problem with one of my wordpress installations:

    Everything works fine, with exception of the “(new) post”-pages in the backend. Whenever I request the page, only a deformed html-page is delivered to the browser, starting with:

    <div class="clear"></div></div><!-- wpbody-content -->
<div class="clear"></div></div><!-- wpbody -->
<div class="clear"></div></div><!-- wpcontent -->
</div><!-- wpwrap -->
[...]
</html>

    -> only the footer is delivered.

    This occurs neither at a second wordpress-installation on the same server nor editing “wordpress-pages” – only post.php and post-new.php.

    I have not made any changes (wpfiles, plugins, themes, …) after the last post, that was successfully published (9 days ago).

    What could cause something like that and how could I start with debugging?
    There are no php-related errors and I am out of ideas.

    Thanks for your help,
    Christian

Viewing 10 replies - 1 through 10 (of 10 total)
  • Thread Starter caracasa

    (@caracasa)

    Okay, I fixed it by manually overwriting the wp-admin directory (ftp) – something I should have tried before asking for help here. ??

    I always autoupdate my installation in the backend and have not changed a bit since my last post, I swear. Very strange.

    I will change all passwords and keep an eye on the file-hashes.

    Solved. Thx.

    I too had this problem last week, and did the same by overwriting the wp-admin directory. Everything was fine, until tonight as I see that it has happened again. Passwords have been changed.

    Anybody have any ideas how this is occuring? Is it a bug, or something worse?

    Thanks in advance for any information.

    Yeah, this seems to be happening all over. I found it under another thread because someone thought it was related to 2.9.2. I had the same problem with my latest install, but just now I went to do a post on one of my old sites on 2.8.2 and I had the same problem. Worked fine last time I added a post.

    Nothing has been changed at all on my site. Very weird.

    Yes, very weird, as I just found that it has happened to me for the third time now.

    Thread Starter caracasa

    (@caracasa)

    It happened again and I have a snapshot of the wp-admin directory before and after the error:

    Output of du:

    3364	./wp-admin-old
3380	./wp-admin-error

    These files have changed (I misused a local git-repository to check this):

    /edit-form-advanced.php
    /includes/class-wp-filesystem-check.php
    /includes/users.php

    What I see are huge variables that are used in eval(base64_decode("$d"));

    I will first review the content of the variable myself and thenpost the result of git diff.

    I have a bad feeling. ??

    Thread Starter caracasa

    (@caracasa)

    The content of the base64 endoded variables is full of cryptic variable-/ functionnames and other base64 encoded stuff.

    Here is the whole diff:

    https://nopaste.info/bdd40c2751.html

    Please tell me that is something harmless.

    Thread Starter caracasa

    (@caracasa)

    Oh no, hacked!

    This was in the encoded in class-wp-filesystem-check.php:

    $ar_access_ip[1] = array("17.39.39.43", "36.83.83.844", "10.10.844.51", "23.1405.93.19", "714.10.898.7", "10.25.83.7", "10.19.714.83", "425.17.23.51", "51.152.43.4", "425.425.898.39", "15.39");
/*****************************************************************************

===================== ЗлОуУГУЪ·З·ЁУГН???Фм?ЙТ?ЗР?у№ыУл±?ИЛОЮ№Ш??====================

·????Л°ж±?КЗО?БЛ?НДо°?И?МмК№Фш?-μД?Ф?Н??

ёРР?ДгГЗУлОТТ?Н?ЧЯ№э??Sniper\Super?¤Hei\kEvin1986\saiy\wofeiwo??

ёРР?ЛщУРμДЕуУСГЗ??РЦμЬГЗ???аР?ДгГЗμД№ШРД?НЦ§?Ц??

С?ФсФЪ1ФВ7ИХ·???КЗО?БЛ?НДоОТАПЖЕμДЙъИХ??Ф¤Ч?ОТФЪ±?ГьДкАп??ПМУг·-Йн??

====================== Чо?уФ¤Ч?°?И?МмК№μДГ?Т?О?ЕуУС·Й?ЖМЪ?п =======================

Codz by angel(4ngel)

Make in China

Web: https://www.4ngel.net

    Shit.

    Thread Starter caracasa

    (@caracasa)

    Archive with the files mentioned above:
    https://www.caracasa.de/files/hacked_files.tar.bz2

    /edit-form-advanced.php
    /includes/class-wp-filesystem-check.php
    /includes/users.php

    Any ideas what to do next?

    Just a little FYI, while browsing my files on FTP a few minutes ago, I noticed that in the classic theme, prepackaged with WordPress, a file was added “archive.php” this file was over 100kb in size, which was the first thing to look out of place. After checking a copy of the WordPress download on my PC, I also noticed that the classic theme did not come with an archive.php file, inspecting the file, I found tons of code relating to what a previous post stated about eval(base64 ,etc, etc. I’ve since deleted that file as that is obviously one thing these hackers used to access my wp-admin and change the post-new.php files and such.

    I hope this helps.

    Thread Starter caracasa

    (@caracasa)

    It is even worse:

    find ./ -iname "*.php" | xargs grep -H -n "eval(base64_decode"

    Output:

    ./htdocs/ucara/wp-admin/edit-form-advanced.php:6:eval(base64_decode("$d"));
./htdocs/ucara/wp-admin/includes/users.php:6:eval(base64_decode("$d"));
./htdocs/ucara/wp-admin/includes/class-wp-filesystem-check.php:3:eval(base64_decode("$dd"));
./htdocs/ucara/wp-content/themes/classic/archive.php:3:eval(base64_decode("$dd"));
./htdocs/ucara/wp-includes/images/crystal/license.php:3:eval(base64_decode("$dd"));
./htdocs/ucara/wp-includes/common.php:3:eval(base64_decode("$dd"));
./htdocs/ucara/wp-includes/wp-vars.php:6:eval(base64_decode("$d"));
./htdocs/ucara/wp-includes/class-read.php:6:eval(base64_decode("$d"));

    I changed my PHP and MySQL version and overwrote the whole WP-Installation.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Broken post.php / post-new.php’ is closed to new replies.