Solved

Malware in wordpress admin file

Posted on 2011-03-10
12
1,326 Views
Last Modified: 2012-05-11
my site padies.com ad the associated blog are under malware attack - I have managed to clean up some of it but am at sea with some of the other code.......!
in Wordpress :
is it normal to have a php file in the js folder?
and is it normal to have one called revisions-js.php there

and is this code normal ? if not, what do I eliminate? or should I just delete the file entirely? :
 
<?php

if ( !defined( 'ABSPATH' ) )
	exit;

/** @ignore */
function dvortr( $str ) {
	return strtr(
		$str,
		'\',.pyfgcrl/=\\aoeuidhtns-;qjkxbmwvz"<>PYFGCRL?+|AOEUIDHTNS_:QJKXBMWVZ[]',
		'qwertyuiop[]\\asdfghjkl;\'zxcvbnm,./QWERTYUIOP{}|ASDFGHJKL:"ZXCVBNM<>?-='
	);
}

$j = esc_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
$n = esc_html( $GLOBALS['current_user']->data->display_name );
$d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) );

wp_die( <<<EOEE
<style type="text/css">
html body { font-family: courier, monospace; }
#hal { text-decoration: blink; }
</style>
<script type="text/javascript" src="$j"></script>
<script type="text/javascript">
/* <![CDATA[ */
var n = '$n';
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('6(4(){2 e=6(\\'#Q\\').v();2 i=\\'\\\\\\',.R/=\\\\\\\\S-;T"<>U?+|V:W[]X{}\\'.u(\\'\\');2 o=\\'Y[]\\\\\\\\Z;\\\\\\'10,./11{}|12:"13<>?-=14+\\'.u(\\'\\');2 5=4(s){r=\\'\\';6.15(s.u(\\'\\'),4(){2 t=16.D();2 c=6.17(t,i);r+=\\'\$\\'==t?n:(-1==c?t:o[c])});j r};2 a=[\\'O.E[18 e.y.19.1a\\',\\'1b 1c. 1d .1e.,1f 1g\\',\\'O.E e.1h 1i 8\\',\\'9\\',\\'0\\'];2 b=[\\'<1j. 1k \$1l\\',\\'1m. 1n 1o 1p\\',\\'1q, 1r. ,1s. 1t\\'];2 w=[];2 h=6(5(\\'#1u\\'));6(5(\\'1v\\')).1w(4(e){7(1x!==e.1y){j}7(x&&x.F){x.F();j G}1z.1A=6(5(\\'#1B\\')).1C(\\'1D\\');j G});2 k=4(){2 l=a.H();7(\\'I\\'==J l){7(m){2 c={};c[5(\\'1E\\')]=5(\\'1F\\');c[5(\\'1G\\')]=5(\\'1H..b\\');6(5(\\'1I 1J\\')).1K(c);p();h.v().1L({1M:1},z,\\'1N\\',4(){h.K()});d(m,L)}j}w=5(l).u(\\'\\');A()};2 A=4(){B=w.H();7(\\'I\\'==J B){7(m){h.M(5(\\'1O 1P\\'));d(k,C)}N{7(a.P){d(p,C);d(k,z)}N{d(4(){p();h.v()},C);d(4(){e.K()},L)}}j}h.M(B.D());d(A,1Q)};2 m=4(){a=b;m=1R;k()};p=4(){2 f=6(\\'p\\').1S(0);2 g=6.1T(f.q).1U();1V(2 g=f.q.P;g>0;g--){7(3==f.q[g-1].1W||\\'1X\\'==f.q[g-1].1Y.1Z()){f.20(f.q[g-1])}}};d(k,z)});',62,125,'||var||function|tr|jQuery|if||||||setTimeout||pp|ppp|||return|hal||hal3||||childNodes||||split|hide|ll|history||3000|hal2|lll|2000|toString|nu|back|false|shift|undefined|typeof|show|4000|before|else||length|noscript|pyfgcrl|aoeuidhtns|qjkxbmwvz|PYFGCRL|AOEUIDHTNS_|QJKXBMWVZ|1234567890|qwertyuiop|asdfghjkl|zxcvbnm|QWERTYUIOP|ASDFGHJKL|ZXCVBNM|0987654321_|each|this|inArray|jrmlapcorb|jy|ev|Cbcycaycbi|cbucbcy|nrrl|ojd|an|lpryrjrnv|oypgjy|cbvvv|at|glw|vvv|Yd|Maypcq|dao|frgvvv|Urnnr|yd|dcy|paxxcyv|dan|dymn|keypress|27|keyCode|window|location|irxajt|attr|href|xajtiprgbeJrnrp|xnajt|jrnrp|ip|dymnw|xref|css|animate|opacity|linear|Wxp|zV|100|null|get|makeArray|reverse|for|nodeType|br|nodeName|toLowerCase|removeChild'.split('|'),0,{}))
/* ]]> */
</script>
<span id="noscript">$d</span>
<blink id="hal">&#x258c;</blink>
EOEE
,
dvortr( 'Eabi.p!' )
);

Open in new window


thanks
0
Comment
Question by:elainem
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 27

Accepted Solution

by:
Lukasz Chmielewski earned 250 total points
ID: 35093696
1. Change your ftp and WP admin passwords immediately.
2. Backup your database and theme.
3. Install a clean wordpress copy and import the database
(you do not know how many files are corrupted - as well it might be the database)
0
 

Author Comment

by:elainem
ID: 35093793
sorry - didn't answer my question - though it is sound advise - i have changed the control panel password several times
i can't get into the wordpress admin section to change the password
i need to get rid of corrupted files
 please help me to identify them
thanks
0
 
LVL 27

Assisted Solution

by:Lukasz Chmielewski
Lukasz Chmielewski earned 250 total points
ID: 35093836
Well, this is not so simple as you would have to know what file and which section is changed.
My advice is that you should install new, clean wordpress just next to the existing one (with a different database) and compare the files from your existing installation to a new one. This seems to be the only way to determine which of them are bad and which sections should you delete.
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 
LVL 10

Assisted Solution

by:c_a_n_o_n
c_a_n_o_n earned 125 total points
ID: 35094336
Roads Roads is absolutely correct.  It may not have answered your question, however, those compromised files are likely your cause.  Immediately change your FTP password.  Backup your site as is. Use FTP to copy a fresh, ideential version of WordPress over your existing install overwriting all Wordpress files.  With the FTP connection, navigate to your plugins directory. move them to another folder so that they don't get activated when you attempt to login.  

If you still cannot login, your .htaccess file (if you have one) in the wp-admin file may have been altered.  Rename it temporarily.  Try again.

If you still cannot login, your database may have been compromised.  That is a whole different problem.

Start downloading replacement plugins.  Activate one by one.  For those that are customized, work with them last, but chances are your plugins are also compromised.
0
 

Author Comment

by:elainem
ID: 35094457
ok - between the first and most recent comment above, I managed to access the admin in wordpress - updated wordpress hoping the compromised files would be replaced - don't think it worked! I' try the to save the database and do as you suggest.

HOWEVER..........

our website is also infected with malware. I think I've managed to remove it - at least what I can identify - but I have some clever and very persistent hacker here! And yes, I have changed passwords - many times.
0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 35094724
Is this a remote hosting ?
0
 

Author Comment

by:elainem
ID: 35095002
the wordpress blog is hosted through our website which is hosted on an apache server (I think) with primus. I access the back end for the website and wordpress through cpanel.
0
 
LVL 31

Expert Comment

by:gwkg
ID: 35095812
0
 
LVL 31

Assisted Solution

by:gwkg
gwkg earned 125 total points
ID: 35095837
You can always check svn to see anything in the file has changed from the original

http://svn.automattic.com/wordpress/trunk/wp-admin/js/revisions-js.php
0
 
LVL 7

Expert Comment

by:rgranlund
ID: 35096061
Have you reached out to Wordpress and the Forum there?  There maybe a know risk.  Maybe after installation some files were left writable?
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36508835
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Did you use a default hosting installation of wordpress with the intention of it being your actual site?  Maybe you’ve installed it as a Blog to your current site and recently converted it to be the main site and do away with the old .htm pages.  An…
In Part I (http://www.experts-exchange.com/Web_Development/Blogs/WordPress/A_8410-Getting-Started-In-WordPress-Part-I.html), I introduced you to the powerful WordPress backend, the WordPress administrative Dashboard.  In Part II, I will introduce yo…
The purpose of this video is to demonstrate how to update a WordPress Site’s version. WordPress releases new versions of its software frequently and it is important to update frequently in order to keep your site secure, and to get new WordPress…
The purpose of this video is to demonstrate how to Import and export files in WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Click on Too…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question