Weird Code In File

They tried to pass in code to your options.php file that exists inside of one of the WordPress folders. When you clean this hack it is important to remember that these people must have had access to your server to begin with.

There is no file called uploads.php in wp-content of a non-hacked site.. for sure delete that file.

Hope this helps.

Hm, really?? Thanks. Several other files are simply <?php

I’m seeing a root folder under the main directory of WordPress. I don’t remember that being there. The files seem to be usual WordPress files but I’m suspicious.

What did the code do? The sites weren’t accessed again afaik but some files don’t ring a bell.

The above snippet of code doesn’t say what the code is used for, it just translates to “open options.php and pass in some data, then save”.

It will be worth talking to your hosting providers about that root folder in case it’s something they put in.

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Yah, start working your way through the resources @anevins provided.. There should be no root directory under the main wp directory.. If you have more questions as you work your way through those resources don’t hesitate to return here and ask them! We are happy to help guide you in the right direction!

Thanks. The hack was fifteen months ago. I have someone working on them now. Rather than clean files, I suggested he save all under a new folder, install fresh, then scour the db and restore it. Only a few had posts.

Under license.txt I saw this:

signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice

April Fools Day by tycoon who in charge of vice.

It also mentions b2 is copyright tidakada.com. And, WordPress – Web publishing software

Copyright 2011-2016 by the contributors

Seems like they hacked quite a few files for fun. This is one site only. Index.php is <?php

Oh the root folder… it’s from the hacker. Under /Lang is en and ru. The only files there deal with phpbb_keycaptcha. This is a WordPress site only. Now I’m wondering if an exploit was uncovered in phpbb and somehow the keycaptcha script exploits it in WordPress

Under root is styles. Subsilver2 has captcha_keycaptcha.html

<!– IF S_KEYCAPTCHA_AVAILABLE –>
<tr>
<th colspan=”2″ valign=”middle”>{L_KEYCAPTCHA_TASK_HEADER}</th>
</tr>
<tr>
<td class=”row1″ width = “50%”><b class=”genmed”>{L_KEYCAPTCHA_TASK_HEADER}:</b><br /><span class=”gensmall”>{L_KEYCAPTCHA_TASK_EXPLAIN}</span></td>
<td class=”row2″>
{KEYCAPTCHA_CODE}
<input type=”hidden” name=”kc_response_field” id=”kc_response_field” value=”false” />
<noscript>
{L_KEYCAPTCHA_MESSAGE_NOSCRIPT}
</noscript>
</td>
</tr>
<!– ELSE –>
{L_KEYCAPTCHA_MESSAGE_NA}
<!– ENDIF –>

Things that make you go hmmmmm

@sicksquirrel

No one ever reads EULAs or licenses or attributions. I understand you’re chasing an old hack (I think you should just eradicate it, implement secure measures and move on), but you can probably find “signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice” in every license.txt file in the WordPress default package. You may also find references to a “James (Random) Hacker”.

wordpress/license.txt
/wp-content/plugins/akismet/LICENSE.txt
/wp-content/themes/twentyfifteen/genericons/LICENSE.txt
/wp-content/themes/twentysixteen/genericons/LICENSE.txt
wordpress/wp-includes/js/plupload/license.txt
wordpress/wp-includes/js/tinymce/license.txt

captcha_keycaptcha.html

That issue may be relative to an exploit in (or just an installation of) an old unsupported version of a KeyCAPTCHA plugin.

I have absolutely no doubt that the site was hacked, and I’m definitely not trying to minimize how disconcerting that is when it happens, I just see no benefit in beating yourself up to trying to answer the who/why issues, other than it was due to insecure versions of server software, plugins, themes or poor/shared server administrations issues.

[edit] – almost forgot – “b2 is (c) 2001, 2002 Michel Valdrighi – [email protected]” is legit. I’m thinking b2 is an ancestor of WordPress. https://codex.www.ads-software.com/History https://www.ads-software.com/about/

• This reply was modified 7 years, 11 months ago by Clayton James.
• This reply was modified 7 years, 11 months ago by Clayton James. Reason: I didn't speel some stuff so goodly - lol
• This reply was modified 7 years, 11 months ago by Clayton James.
• This reply was modified 7 years, 11 months ago by Clayton James.

@sicksquirrel, rebuilding from scratch is always best in my opinion. Glad you’re able to do that with your site. That’s not always a viable option. Look into security plugins after it’s rebuilt. wordfence is the most common but there are others available. Also consider looking at Protect WP-Admin or will house the dashboard URL with a custom URL of your choosing.

WPS hide login is another good plugin to help you secure your site.

Thanks. I had two security plugins, one being WordFence. I can’t remember the other right now. I’ll check hide login after I post.

I asked my fixer to just save all then install fresh and restore db. Haven’t checked email yet but I can help a little.

On one site the /root file had just .de as a language. Another just .ru. I was hacked as the code they placed says so. Those </? Php and //Silence is Golden didn’t walk into my site ??

Those </? Php and //Silence is Golden didn’t walk into my site ??

I can’t tell for sure from how you phrased your comment if you’re concerned about that file(s) or not, but to help keep you from chasing false positives: The index.php files that contain – <?php // Silence is golden. – are part of WordPress. If there is anything else in them, then it’s reason for concern, but those are expected to be there.

You can normally find them in the /wp-content, /themes, /plugins directories. They are put there intentionally to prevent casual browsing of those directories in the event that the server configuration doesn’t obey the “Options -Indexes” directive.

Example: https://core.trac.www.ads-software.com/browser/branches/4.7/src/wp-content/index.php

[edit] “I asked my fixer to just save all then install fresh and restore db“

You also need to make sure that database is clean, otherwise you could also be reinstalling part of the original hack.

• This reply was modified 7 years, 11 months ago by Clayton James.
• This reply was modified 7 years, 11 months ago by Clayton James.

Thanks, guys. I was perusing an error log last night. Every time someone visits the hacked site, it gives four errors. I’m thinking that means the login or index page is coded to do something it’s not supposed to do.

I can’t copy from the iPad on these logs. Tomorrow I’ll get on my Windows laptop and see if I can grab the four errors. Maybe, probably, you’ll be able to tell me which file(s) to fix.

Even though we may be able to tell which files to fix from the errors… it is still always best to start fresh if that is a feasible option!

Looking forward to your message with the errors!