Header.php hacked. Need advice, have tried (seemingly) everything

Have you worked through this list?

How about moving to another host? The back door may be somewhere else on your server.

Thanks for the quick reply, esmi. Yep, I’ve worked through that particular list. And I too am wondering if it might be my host–has anyone else had a WordPress hack issue with GoDaddy?

I didn’t see it mentioned in the List that esmi pointed to. Or specifically in your list. So, I’ll mention it.

Have you looked at the FTP side of things? That would mean changing your FTP password. And any other FTP ID’s password that would have access to your site.

It would also mean doing an anti-malware scan on all personal computers that have an FTP client with any of the FTP ID/passwords for your site. And I don’t mean the free anti-malware products. Trend, Symantec/Norton, McAfee, and Sunbelt Software (VIPRE) all offer free scan tools and/or free 15 day versions of the real product that do an excellent job of completely checking out a machine.

Why? Because some malware exists that looks for the settings files of popular FTP clients and sends (to a hacker database on the Internet) the host name, ID and passwords for all sites stored in each FTP client’s settings files.

Hi, Adiant. I had that thought as well and so ran a McAfee scan last night. But alas, zero bad files on my system.

I’ll take that as good news, but still no hints as to where the problem lies.

Do you have any other stuff on your server? Other WP installs, forums? A wiki maybe? Anything at all?

When I was hacked, I thought I had cleaned everything….several times, but the problem came back. I am also on godaddy…..and they have access logs you can check out. So one time, after my header got spam inserted into it, I checked the timestamp of the header.php file, then checked my access logs for that exact time…..

I was able to track down 2 rogue php files that didn’t belong. One was buried about 4 folders deep in a zencart installation I had, and the other was in the 11/2008 uploads folder of a different WP install. But those files were both backdoors to my main WP install. After I deleted those files, and then changed all my passwords gain, I’ve never had a problem.

You’re definitely on to something, RVoodoo! The logs pointed me to an out-of-place wp-pass.php file in one of my uploads folders along with a clearly-suspicious topper.php file, and the logs indicated that wp-pass.php was a redirect to header.php.

They happened to be in the July ’09 upload subfolder, which is right around the time the hack started making itself known.

So I’ve deleted wp-pass.php and topper.php, and I’ll reset passwords.

Thanks all. Hopefully this finally does the trick!

Sweet! Hopefully you are all set now!

YES! Oh, man. I was going insane over this. I found the culprit in our access files:

(Oops, this is the text I wrote to Media Temple support. Ignore the first part.) Alright, just in case anyone else with a WordPress blog reports this kind of thing, tell them to look at their /log/ files, especially for values that begin with POST. I just found the culprit:

66.36.247.153 - - [25/Jan/2010:08:42:03 -0800] "POST /legalworkshop.org/wp-content/uploads/2009/03/fonction.php?f=/nfs/c04/h02/mnt/63589/domains/legalworkshop.org/html/wp-content/themes/legalworkshop/header.php HTTP/1.1" 200 107 "-" "-"

Two files were in /wp-content/uploads/2009/3 that didn’t belong there:

fonction.php (spelling was wonky)
wp-conf.php (spelling was also wonky)

So, I deleted those files and hopefully everything will be fine now. Thanks for the help everyone.

OK .. you all found the wp-pass.php .. BUT .. did you note that it was coming FROM another location on the server?

I’d been going nuts with this same problem and it was RVoodoo who alerted me to looking though the logs. I’d been going through lines and lines – was ready to quit when I realized I’d NOT searched the listing for the header.php file that was always being corrupted. BINGO!

The source of the wp-pass.php AND its companion file .. yes COMPANION FILE >> topper.php <<< was found to be coming from another WP installation – on the same server – in MY ACCOUNT.

Both files had been UPLOADED to the wp-content/uploads/[year][day] directory.

So, if you’ve found the wp-pass.php .. you still need to fine the topper.php file – most likely.

I’m going to be looking closely at the ‘infecting’ installation. If I find anything of interest. I will post here.

Also .. my host is – GoDaddy.com – and the server farm for this hosting is in Scottsdale, AZ.

BigSquareDot .. your ‘other’ funky spelling file, may be the 2nd file to find. But wouldn’t hurt to look for one called topper.php. I’ll be looking for your ‘funky spelling’ file, too.

This really SUCKS!

One way this could happen is by doing what I caught myself doing about 6 months ago: forgetting to delete the database and WordPress directory for an older version of WordPress.

Before that, I had a “large” collection of “vanilla” (fresh installs) WordPress installations, one of each past version. For testing problems I ran into.

By the way, if you ever decide you need to keep old versions of WordPress around “just in case”, you can safely disable them, have one up and running in a few minutes by downloading the entire folder to your hard drive using an FTP client, and deleting the folder on your web host. Just leave the database on the host, and upload the folder by FTP from your hard drive if you ever happen to need it. I eventually figured out that I never actually used mine, so have deleted them entirely.

Amended Comment — I needed to update the comment I made earlier, and point out a unique area of problem

I re-read the comments above and see that the files I mentioned earlier – were All – already discussed.

The KEY thing about the wp-pass.php file is that it’s IN THE WRONG PLACE, when it’s in the wp-contents/uploads location.

But there was one weird element that I did not find mentioned in the above comments – that I DID mention earlier.

In my case, the infected area was in a different WP installation (different folder) but, it was NOT affecting the ‘host’. The offending file was only affecting the WP installation’s header.php to which the threat was redirected.

A question: Did any of you – who had this problem – ever install the Featurific Plug-in?

I looked through all the other WP installations on that server and root and found nothing else.

Thanks …

Hi,

I’m the author of the Featurific for WordPress plugin. If there is a security vulnerability, I’d love to hear about it so we can get it fixed. With that said, there are no known vulnerabilities with the plugin.

Hope you can figure out what’s going on,
-Rich

I have many sites hosted on Godaddy and have had no problems. It seems that although you have installed WordPress and updated it, you have not taken the necessary measures in securing/hardening your site. Such as:

Uploading all files encrypted via FTPES on Godaddy (if you’re on Godaddy’s Northland server).

Removing or renaming your admin username to something hard to guess. And hardening your passwords for FTP, Database and all logins.

Protecting your logins , comments, database, wp-config.php, and files on your server. Plus, remove the road map for hackers so they can’t see everything you have.

There are many plugins that can help you do these things, and you can also add various code to your theme’s functions.php and through .htaccess. Without closing the vulnerabilities, you are open for hacker attempts.

i’ve cleaned up this mess for several people in the last year – guys, you’re barking up the wrong tree. don’t look outside for the vulnerability.

shared hosting environments mean other users on your server have access to your files, IF you have permissions set for them to have read or write access to them.

every wordpress install has folders that are *usually* writable by users other than the owner, like “uploads.” also, that folder is accessible from the internet side of things too. this is how they get in.

another user on your shared web host knows that your domain is hosted on that server. they know you’re running wordpress. they know the subdirectory that your host creates (usually ~/example.com/ ) and they know the common folder structure for wordpress.

they make a file with a familiar name, like “wp-pass.php” and try to copy it through the filesystem to your uploads directory (double check your permissions – most people make the uploads directory writable by everybody in order to allow the web server user to write to it. this is bad.)

if the copy is successful – then they hit that file via the web side – and bang! they’re executing php code on YOUR install now. they can do anything they want.

check the file creator of the wp-pass.php file (or any other suspicious files you find in your writeable directories) i 99.9% guarantee the file owner is not YOU, but rather the other nefarious user on your shared hosting server (or, whomever hacked their shell account).

then take a screenshot of that file listing and send it to your hosting provider – explaining to them that another user is writing files to your directories and hacking your websites.

oh, and fix your file and folder permissions. ??

Something similar happened to one of my client’s sites. (The links were in the footer, but the rest of your story sounds the same.) I quickly located the extraneous files, but couldn’t figure out how they were being injected into the footer — until I looked at the .htaccess file. The hacker had taken advantage of the writable file to add auto_prepend_file and auto_append_file PHP directives.

Long story short: once you’ve set your permalink structure, adjust the permissions on your .htaccess file so WordPress can’t write to it. (Or any other apps. In that case, the culprit was an outdated version of PHPlist running alongside WordPress.)