Solved

Malware in wordpress admin file

Posted on 2011-03-10
12
1,360 Views
Last Modified: 2012-05-11
my site padies.com ad the associated blog are under malware attack - I have managed to clean up some of it but am at sea with some of the other code.......!
in Wordpress :
is it normal to have a php file in the js folder?
and is it normal to have one called revisions-js.php there

and is this code normal ? if not, what do I eliminate? or should I just delete the file entirely? :
 
<?php

if ( !defined( 'ABSPATH' ) )
	exit;

/** @ignore */
function dvortr( $str ) {
	return strtr(
		$str,
		'\',.pyfgcrl/=\\aoeuidhtns-;qjkxbmwvz"<>PYFGCRL?+|AOEUIDHTNS_:QJKXBMWVZ[]',
		'qwertyuiop[]\\asdfghjkl;\'zxcvbnm,./QWERTYUIOP{}|ASDFGHJKL:"ZXCVBNM<>?-='
	);
}

$j = esc_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
$n = esc_html( $GLOBALS['current_user']->data->display_name );
$d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) );

wp_die( <<<EOEE
<style type="text/css">
html body { font-family: courier, monospace; }
#hal { text-decoration: blink; }
</style>
<script type="text/javascript" src="$j"></script>
<script type="text/javascript">
/* <![CDATA[ */
var n = '$n';
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('6(4(){2 e=6(\\'#Q\\').v();2 i=\\'\\\\\\',.R/=\\\\\\\\S-;T"<>U?+|V:W[]X{}\\'.u(\\'\\');2 o=\\'Y[]\\\\\\\\Z;\\\\\\'10,./11{}|12:"13<>?-=14+\\'.u(\\'\\');2 5=4(s){r=\\'\\';6.15(s.u(\\'\\'),4(){2 t=16.D();2 c=6.17(t,i);r+=\\'\$\\'==t?n:(-1==c?t:o[c])});j r};2 a=[\\'O.E[18 e.y.19.1a\\',\\'1b 1c. 1d .1e.,1f 1g\\',\\'O.E e.1h 1i 8\\',\\'9\\',\\'0\\'];2 b=[\\'<1j. 1k \$1l\\',\\'1m. 1n 1o 1p\\',\\'1q, 1r. ,1s. 1t\\'];2 w=[];2 h=6(5(\\'#1u\\'));6(5(\\'1v\\')).1w(4(e){7(1x!==e.1y){j}7(x&&x.F){x.F();j G}1z.1A=6(5(\\'#1B\\')).1C(\\'1D\\');j G});2 k=4(){2 l=a.H();7(\\'I\\'==J l){7(m){2 c={};c[5(\\'1E\\')]=5(\\'1F\\');c[5(\\'1G\\')]=5(\\'1H..b\\');6(5(\\'1I 1J\\')).1K(c);p();h.v().1L({1M:1},z,\\'1N\\',4(){h.K()});d(m,L)}j}w=5(l).u(\\'\\');A()};2 A=4(){B=w.H();7(\\'I\\'==J B){7(m){h.M(5(\\'1O 1P\\'));d(k,C)}N{7(a.P){d(p,C);d(k,z)}N{d(4(){p();h.v()},C);d(4(){e.K()},L)}}j}h.M(B.D());d(A,1Q)};2 m=4(){a=b;m=1R;k()};p=4(){2 f=6(\\'p\\').1S(0);2 g=6.1T(f.q).1U();1V(2 g=f.q.P;g>0;g--){7(3==f.q[g-1].1W||\\'1X\\'==f.q[g-1].1Y.1Z()){f.20(f.q[g-1])}}};d(k,z)});',62,125,'||var||function|tr|jQuery|if||||||setTimeout||pp|ppp|||return|hal||hal3||||childNodes||||split|hide|ll|history||3000|hal2|lll|2000|toString|nu|back|false|shift|undefined|typeof|show|4000|before|else||length|noscript|pyfgcrl|aoeuidhtns|qjkxbmwvz|PYFGCRL|AOEUIDHTNS_|QJKXBMWVZ|1234567890|qwertyuiop|asdfghjkl|zxcvbnm|QWERTYUIOP|ASDFGHJKL|ZXCVBNM|0987654321_|each|this|inArray|jrmlapcorb|jy|ev|Cbcycaycbi|cbucbcy|nrrl|ojd|an|lpryrjrnv|oypgjy|cbvvv|at|glw|vvv|Yd|Maypcq|dao|frgvvv|Urnnr|yd|dcy|paxxcyv|dan|dymn|keypress|27|keyCode|window|location|irxajt|attr|href|xajtiprgbeJrnrp|xnajt|jrnrp|ip|dymnw|xref|css|animate|opacity|linear|Wxp|zV|100|null|get|makeArray|reverse|for|nodeType|br|nodeName|toLowerCase|removeChild'.split('|'),0,{}))
/* ]]> */
</script>
<span id="noscript">$d</span>
<blink id="hal">&#x258c;</blink>
EOEE
,
dvortr( 'Eabi.p!' )
);

Open in new window


thanks
0
Comment
Question by:elainem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 27

Accepted Solution

by:
Lukasz Chmielewski earned 250 total points
ID: 35093696
1. Change your ftp and WP admin passwords immediately.
2. Backup your database and theme.
3. Install a clean wordpress copy and import the database
(you do not know how many files are corrupted - as well it might be the database)
0
 

Author Comment

by:elainem
ID: 35093793
sorry - didn't answer my question - though it is sound advise - i have changed the control panel password several times
i can't get into the wordpress admin section to change the password
i need to get rid of corrupted files
 please help me to identify them
thanks
0
 
LVL 27

Assisted Solution

by:Lukasz Chmielewski
Lukasz Chmielewski earned 250 total points
ID: 35093836
Well, this is not so simple as you would have to know what file and which section is changed.
My advice is that you should install new, clean wordpress just next to the existing one (with a different database) and compare the files from your existing installation to a new one. This seems to be the only way to determine which of them are bad and which sections should you delete.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 10

Assisted Solution

by:c_a_n_o_n
c_a_n_o_n earned 125 total points
ID: 35094336
Roads Roads is absolutely correct.  It may not have answered your question, however, those compromised files are likely your cause.  Immediately change your FTP password.  Backup your site as is. Use FTP to copy a fresh, ideential version of WordPress over your existing install overwriting all Wordpress files.  With the FTP connection, navigate to your plugins directory. move them to another folder so that they don't get activated when you attempt to login.  

If you still cannot login, your .htaccess file (if you have one) in the wp-admin file may have been altered.  Rename it temporarily.  Try again.

If you still cannot login, your database may have been compromised.  That is a whole different problem.

Start downloading replacement plugins.  Activate one by one.  For those that are customized, work with them last, but chances are your plugins are also compromised.
0
 

Author Comment

by:elainem
ID: 35094457
ok - between the first and most recent comment above, I managed to access the admin in wordpress - updated wordpress hoping the compromised files would be replaced - don't think it worked! I' try the to save the database and do as you suggest.

HOWEVER..........

our website is also infected with malware. I think I've managed to remove it - at least what I can identify - but I have some clever and very persistent hacker here! And yes, I have changed passwords - many times.
0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 35094724
Is this a remote hosting ?
0
 

Author Comment

by:elainem
ID: 35095002
the wordpress blog is hosted through our website which is hosted on an apache server (I think) with primus. I access the back end for the website and wordpress through cpanel.
0
 
LVL 31

Expert Comment

by:gwkg
ID: 35095812
0
 
LVL 31

Assisted Solution

by:gwkg
gwkg earned 125 total points
ID: 35095837
You can always check svn to see anything in the file has changed from the original

http://svn.automattic.com/wordpress/trunk/wp-admin/js/revisions-js.php
0
 
LVL 7

Expert Comment

by:rgranlund
ID: 35096061
Have you reached out to Wordpress and the Forum there?  There maybe a know risk.  Maybe after installation some files were left writable?
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36508835
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wordpress Horizontal Drop-Down Menu In this tutorial I will show you had to add a WordPress horizontal navigation menu to your theme. I have searched and searched for a good tutorial on creating a WordPress nav menu without adding a plug-in or us…
Do you think that WordPress is just for blogs?  Think again!  WordPress is really a fantastic all around platform that you can use to develop websites on.  Integrated into its basic functionality is the ability to create pages using your choice of a…
The purpose of this video is to demonstrate how to create a Printer Friendly PDF on a WordPress Page. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome Screenshot” Google Chrome Extension, and SmallPDF.com Log…
The purpose of this video is to demonstrate how to automatically show related posts at the bottom of a blog post in WordPress. This will be demonstrated using a Windows 8 PC. Plugin “Yet Another Related Posts Plugin” will be used. Go to your…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question