New WP hack shows odd behavior

Is it time to switch to TypePad?

Why? The hacker’s backdoor could be anywhere on the server and may have nothing to do with WordPress. The links below contain valuable information on cleaning up your site after a hack:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

Sorry about the TP mention. Just my frustration showing. I’ve always greatly appreciated the support here and elsewhere for WP. ??

I’m really trying to track down the source code of the hack, a rifleshot approach, rather than shotgun. The site is heavily customized, so a complete cleanup is days of work. I was hoping the odd behavior viz. the pages might help pinpoint the problem. The odd behavior does not occur when I switch the theme to Twentyten, so I assume the problem is in the theme files. I looked through all the plugin files, functions.php, header.php, single.php… but no luck.

I’d appreciate any additional suggestions.

Since the hack was last year, it would seem to suggest that the attack might have been targeted at theme files. That would explain why the more recent TwentyTen install is clean. Have you checked the theme’s image files?

There don’t appear to be any suspect images that shouldn’t be there. How is code hidden in the images? Is it just a text file with a image filename (such as jpg, gif, etc.)?

Okay so I figured a big part of this out.

I ran a security scan using the WordPress Exploit Scanner plugin. It alerted me to several files with base64 decode and encode script.

In this instance the hacker had hidden two files inside an image directory called arrows. One file, main.php called the home.css file that created the colchicine spam page. When I deleted the arrows directory, the home page showed in a server warning at the top of the page indicating that main.php could not be found.

I then discovered that header.php had been hacked with a snippet of php code before the document declaration (right at the top of the page). Deleting that line fixed the server error.

In a way that was the easy part. Now I am trying to figure out where else my account was hacked (it’s not limited just to this website) and where the back door vulnerabilities are.

https://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

this is my writeup n exactly your situation it seems, and what I did. This hack has nothing to do with WP, it is definitely on your server end. It truly sucks, because every .php file can be infected.

Hopefully something I wrote helps. I was hacked a few times in a row, but I’ve been secure since thoroughly cleaning. (And getting rid of some less secure software for forums and stuff I had been experimenting with)