header.php was hacked

Hi,

I have the same problem, with the same code, on multiple websites (all my server is infected, the files named index.php, header.php, footer.php, login.php, page.php…).
If I delete the code, it works, but I’m note sure that is the correct solution.

Exactly the same problem. WordPress 3.7.1.

Regards,

You need to go through all of these resources – simply removing the code is not sufficient:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

WPyogi,

Thanks for your tips. I’m aware of almost all the suggestions and of course I have backup files before the hack. BTW, it will be useless to restore them if I do not find first how the server was hacked.

Apart from WP 3.7.1, I use on the same server Drupal 6.28 and maybe that is the problem since there is high risk security patch to 6.29.

Any feedback from asefrin and jeanseinomarin will be highly appreciated.

Regards,

It is not a Drupal or WP security problem. We run a server only with custom CMSs and this morning in almost all index.php files the same code was added. The attacker (I guess it was automated, because it happened very quickly) logged in FTP, downloaded the index.php file and uploaded the “patched” one. And this was repeated very quickly for all the sites from the server.

We suspect that there is a virus/trojan that infects Win machines and collect saved FTP passwords. I have no other explanation so far. Check your FTP logs and see if there are suspicious FTP logins. Also, change the FTP passwords ASAP.

You can also try to search in Google for parts of this code. When I first searched – there was only 1 match – this thread. Now there are several pages of infected web-sites.

BR

@veselin: I think as well, that the attack is by FTP because the header.php file was immedeatly replaced by a new one and after the sixth time the variables $wp_axd4 was changed.
Now the file is clean but I still have no access to WP.

WP should be save because there are plugins for antivirus and login attemps are installed. The antivirus gave me the hint, where I have to look.

@iozuniga: There is only a wp installation on the server, no Drupal.

The problems started yesterday night, I tried to update nggallery to the newest version. After 10min my website was back, the plugin wasn’t updated. This morning the update of the plugin finished without an error. But after that the website seems to work but without the plugin and no access to ‘website\wp-admin’.

@wpyogi: I’ve gone through most of the resources but couldn’t find how the server was hacked.

I’ve my dashboard back!

I’m not sure if it is just a stupid incident but before my antivirus gave me the hint I tried to installed the latest version of nggallery. The update went wrong twice but this morning the installation finished without a problem. But I got a white screen instead of the wp Dashboard, when I left the plugin page.

I still thought that the hacked header file causes that.
So I just installed the complete theme again, no change. I repaired and optimized the wp installation, no change. I started to install wp again and before that I had to deactivate my plugins. Without dashboard I had to rename the plugin folder. Before deleting all wp files I just gave it a second try and my website was back. After reactivating the plugins one by one, I found out that nggallery causes the problem.

I told NextGEN Gallery about my problems (WSOD) and after different actions here’s the solution:

I had to change the PHP limits.
PHP Memory Limit : 128
PHP Max Upload Size : 32M
PHP Max Post Size : 32M

Its working fine now.

By the way… The support by Photocrati was great.