Thanks esmi
I was just coming back to update my post with a little more information…
I have already:
Visited both http://sitecheck.sucuri.net/scanner/
and http://www.unmaskparasites.com/. bot hshow the site and pages as clean
confirmed HTAccess files are all clean.
I will continue to search, read, apply and report back.
It seems though that none of the posts I can find are specific to the script appearing from within the wp_head()… most talk about base64_decode PHP, Iframes, and code injected stright into the header/footer.php files. this is different… its being generated somewhere deeper in the WP files.
A complete reinstall might be the only way to fix… the source.. I may never know.
@screenname, Would really appreciate it if you would post the malicious code sample to pastebin or maybe just take a quick look at this post on Stopbadware
https://badwarebusters.org/main/itemview/29055#itemblock-29059
and post back if the code is the same or at least similar.
Hi Redleg-too
The offending script code on my site isalmost identical to the one on your post at https://badwarebusters.org/main/itemview/29055#itemblock-29059
The bulk of the code is identical. Only the second half of the first param val/var (“en0no3mno3nia-sno3ndpno3rxrpno3rxen0d”) is different.
I’ve pasted a copy to Patebine for further review http://pastebin.com/JUVgBW5P
I’ve also completed a base64_decode search of all files below are the results. Only 3 files in my domain folder(and subfolders) contains the base64_decode line.
Only 3 files returned a match.
The first two look legit… however the third (class-simplepie) I need to check against a fresh install of WP to confirm thsi file and all contents are delivered with WP install.
[Code moderated as per the Forum Rules. The maximum number of lines of code that you can post in these forums is ten lines. Please use the pastebin]
Would you like a report of files containing “EVAL”
@screenname, Thanks much for checking and confirming! There are 4-5 sites posting on Badware and 4-5 more on Google Forum and so far no one has been able to pin this one down. Would appreciate knowing the file names where you found the base64 stuff so I can pass then on in the other forums.
There are some on line tools to decode base64 lines, I have one at http://redleg-redleg.com/base64/
To use it you have to select the type of encoding using the radio buttons at the top and then paste the long character string into the box. If it is able to decode anything it returns the output as an image so it is reasonably safe to use.
Ahh… looks like the moderator pulled my list of files…
Here is is again (condensed)
* ./wp-app.php (Filename)
-long_text – base64_decode(substr($_SERVER[‘HTTP_AUTHORIZATION’
-long_text – base64_decode(substr($_SERVER[‘REDIRECT_REMOTE_USE
* ./wp-includes/class-IXR.php (Filename)
-unknown – base64_decode( trim( $this->_currentTagContents
* ./wp-includes/class-simplepie.php (Filename)
-unknown – base64_decode($data
I’ll check out the tool you have suggested.
I am encouraged that I am not the only one stupmed by this issue… and that there will be a host of people looking to solve this issue very quickly.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
I am encouraged that I am not the only one stupmed by this issue… and that there will be a host of people looking to solve this issue very quickly.
I’m glad that you’re encouraged, but the links that Esmi provided earlier really can get you out of this jam if you follow the advice there.
The specific files really are irrelevant, the important thing is that an attacker was able to get in and modify them. You need to find and close the door that they got in via.
Agreed, and many of those steps are already taken… and will be taken again once the source is found.
Found the malicious code. It’s in:
wp-includes/kses.php
very first line
Now how did it get there ?
would you mind posting the line you found?
@f0urfingeredfish, Would greatly appreciate it if you would post the code in pastebin!
OK, great, thanks. I’d done a search in my PHP files for hte same script (and portions of) and nothing is returned… however…
If the location was the same for me (hidden in WP includes) then the upgrade on my sever from and older version of WP to 3.2.2 would have overwritten the file, thuse removed the virus.
I’ll need to resubmit to google and wait. Meanwhile I work on possible security issues that might have allowed the hacker access to the site.
