Is this Malicious Code? – Found in Themes Index.php

paul79uf
(@paul79uf)

12 years, 3 months ago

Hi, I had my outdated version of WordPress exploited and used to send out 100’s of spam emails. My host (1and1.com) notified me of the problem.

I took the following steps.

1. backed up the blog, database, etc
2. deleted the blog from my server
3. uploaded fresh WP 3.8.1 files
4. uploaded a clean version of my theme from the official site
5. set everything back up and installed WordFence

So far everything seems to be normal and the WordFence scan says that my site is clean.

I looked through the old backup files that I downloaded and found a large block of “code” at the top of the themes/index.php and themes/theme-name/index.php

If I deleted everything, re-installed all clean files and WordFence says I’m clean, am I really in the clear?

Thanks for your help!

_________________Here’s the code I found in the themes/index.php_____
[ malware code deleted, please do not post that here ]

Viewing 5 replies - 1 through 5 (of 5 total)

Senff – a11n
(@senff)

12 years, 3 months ago

That’s definitely malicious code. You need to take a bunch of steps to make sure you’re in the clear: http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked

Thread Starter paul79uf
(@paul79uf)

12 years, 3 months ago

Thanks for the quick reply.

I’ve done most of the steps on that page.

1. scanned computer with malware bytes and ms security essentials – clean
2. changed all of my ftp/1and1 login/wordpress/mysql passwords
3. changed the wp secret keys multiple times
4. checked .htaccess files in all my sites/blogs – clean
5. deleted everything / restored with fresh wp files
6. ran WordFence multiple times
7. manually checked new files for any malicious code

So far it seems like I got rid of the hack/exploit by deleting everything and upgrading to the latest versions.

I should probably ask 1and1 if they see any more email coming from my site(s). Not sure how to check that in the web control panel.

I don’t have any contact forms or newsletters so they should not be sending any email.

The only thing I’m worried about is if the mysql database is still infected with malicious code. But I imagine WordFence scans that.

I also did the sucuri.net site check and everything came back clean.

Thanks again. I will keep checking this thread if anyone else has any other suggestions.

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

12 years, 3 months ago

paul79uf Please do not post malware code here.

It looks like you are on the right track but give these a read.

http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked
http://ww.wp.xz.cn/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
Hardening WordPress
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thread Starter paul79uf
(@paul79uf)

12 years, 3 months ago

Sorry about that Jan. I wasn’t sure what that code was. Thanks for deleting it.

I just checked my server logs and found the entries below in the mail.log, which was last modified a few hours ago.

I’m hoping that I stopped the spam emails (a few hundred per day) since there are no new entries in the mail log since I deleted all the blog files and uploaded clean versions earlier today.

Here’s a small sample of the entries in my mail log (with my site info IPs and email addresses changed) –

_______________________
2014-03-10 08:17:03 u39521873 3oyyji-1XIeFh2A3W-014o7Q |< REMOTE=78.108.64.44 SCRIPT=/mysitename.com/blog/index.php — /usr/sbin/sendmail -t -i -f [email protected]
2014-03-10 08:17:03 u39521873 3oyyji-1XIeFh2A3W-014o7Q <= [email protected] SZ=1135 D=0 SID=149441682
2014-03-10 08:17:04 u39521873 3oyyji-1XIeFh2A3W-014o7Q => [email protected] msmtp.perfora.net[172.18.143.3] 250 Message 0LdYAk-1X5MZ32l86-00i3eP accepted by mrus0.perfora.net
2014-03-10 08:17:11 u39521874 3oQkJV-1Wil8A3gBt-00VCV0 |< REMOTE=89.18.64.212
______________________________

Does anyone know of an easy way to scan the mysql database for malicious code?

Thread Starter paul79uf
(@paul79uf)

12 years, 3 months ago

I thought I would come back and give some closure to this thread.

I followed all the steps at the “how to completely clean…” link and the spam emails being sent from my WordPress blog have stopped.

Here’s the link Jan posted again –
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Is this Malicious Code? – Found in Themes Index.php’ is closed to new replies.

Is this Malicious Code? – Found in Themes Index.php

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics