Solved

Malware in wordpress admin file

Posted on 2011-03-10
12
1,347 Views
Last Modified: 2012-05-11
my site padies.com ad the associated blog are under malware attack - I have managed to clean up some of it but am at sea with some of the other code.......!
in Wordpress :
is it normal to have a php file in the js folder?
and is it normal to have one called revisions-js.php there

and is this code normal ? if not, what do I eliminate? or should I just delete the file entirely? :
 
<?php

if ( !defined( 'ABSPATH' ) )
	exit;

/** @ignore */
function dvortr( $str ) {
	return strtr(
		$str,
		'\',.pyfgcrl/=\\aoeuidhtns-;qjkxbmwvz"<>PYFGCRL?+|AOEUIDHTNS_:QJKXBMWVZ[]',
		'qwertyuiop[]\\asdfghjkl;\'zxcvbnm,./QWERTYUIOP{}|ASDFGHJKL:"ZXCVBNM<>?-='
	);
}

$j = esc_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
$n = esc_html( $GLOBALS['current_user']->data->display_name );
$d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) );

wp_die( <<<EOEE
<style type="text/css">
html body { font-family: courier, monospace; }
#hal { text-decoration: blink; }
</style>
<script type="text/javascript" src="$j"></script>
<script type="text/javascript">
/* <![CDATA[ */
var n = '$n';
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('6(4(){2 e=6(\\'#Q\\').v();2 i=\\'\\\\\\',.R/=\\\\\\\\S-;T"<>U?+|V:W[]X{}\\'.u(\\'\\');2 o=\\'Y[]\\\\\\\\Z;\\\\\\'10,./11{}|12:"13<>?-=14+\\'.u(\\'\\');2 5=4(s){r=\\'\\';6.15(s.u(\\'\\'),4(){2 t=16.D();2 c=6.17(t,i);r+=\\'\$\\'==t?n:(-1==c?t:o[c])});j r};2 a=[\\'O.E[18 e.y.19.1a\\',\\'1b 1c. 1d .1e.,1f 1g\\',\\'O.E e.1h 1i 8\\',\\'9\\',\\'0\\'];2 b=[\\'<1j. 1k \$1l\\',\\'1m. 1n 1o 1p\\',\\'1q, 1r. ,1s. 1t\\'];2 w=[];2 h=6(5(\\'#1u\\'));6(5(\\'1v\\')).1w(4(e){7(1x!==e.1y){j}7(x&&x.F){x.F();j G}1z.1A=6(5(\\'#1B\\')).1C(\\'1D\\');j G});2 k=4(){2 l=a.H();7(\\'I\\'==J l){7(m){2 c={};c[5(\\'1E\\')]=5(\\'1F\\');c[5(\\'1G\\')]=5(\\'1H..b\\');6(5(\\'1I 1J\\')).1K(c);p();h.v().1L({1M:1},z,\\'1N\\',4(){h.K()});d(m,L)}j}w=5(l).u(\\'\\');A()};2 A=4(){B=w.H();7(\\'I\\'==J B){7(m){h.M(5(\\'1O 1P\\'));d(k,C)}N{7(a.P){d(p,C);d(k,z)}N{d(4(){p();h.v()},C);d(4(){e.K()},L)}}j}h.M(B.D());d(A,1Q)};2 m=4(){a=b;m=1R;k()};p=4(){2 f=6(\\'p\\').1S(0);2 g=6.1T(f.q).1U();1V(2 g=f.q.P;g>0;g--){7(3==f.q[g-1].1W||\\'1X\\'==f.q[g-1].1Y.1Z()){f.20(f.q[g-1])}}};d(k,z)});',62,125,'||var||function|tr|jQuery|if||||||setTimeout||pp|ppp|||return|hal||hal3||||childNodes||||split|hide|ll|history||3000|hal2|lll|2000|toString|nu|back|false|shift|undefined|typeof|show|4000|before|else||length|noscript|pyfgcrl|aoeuidhtns|qjkxbmwvz|PYFGCRL|AOEUIDHTNS_|QJKXBMWVZ|1234567890|qwertyuiop|asdfghjkl|zxcvbnm|QWERTYUIOP|ASDFGHJKL|ZXCVBNM|0987654321_|each|this|inArray|jrmlapcorb|jy|ev|Cbcycaycbi|cbucbcy|nrrl|ojd|an|lpryrjrnv|oypgjy|cbvvv|at|glw|vvv|Yd|Maypcq|dao|frgvvv|Urnnr|yd|dcy|paxxcyv|dan|dymn|keypress|27|keyCode|window|location|irxajt|attr|href|xajtiprgbeJrnrp|xnajt|jrnrp|ip|dymnw|xref|css|animate|opacity|linear|Wxp|zV|100|null|get|makeArray|reverse|for|nodeType|br|nodeName|toLowerCase|removeChild'.split('|'),0,{}))
/* ]]> */
</script>
<span id="noscript">$d</span>
<blink id="hal">&#x258c;</blink>
EOEE
,
dvortr( 'Eabi.p!' )
);

Open in new window


thanks
0
Comment
Question by:elainem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 27

Accepted Solution

by:
Lukasz Chmielewski earned 250 total points
ID: 35093696
1. Change your ftp and WP admin passwords immediately.
2. Backup your database and theme.
3. Install a clean wordpress copy and import the database
(you do not know how many files are corrupted - as well it might be the database)
0
 

Author Comment

by:elainem
ID: 35093793
sorry - didn't answer my question - though it is sound advise - i have changed the control panel password several times
i can't get into the wordpress admin section to change the password
i need to get rid of corrupted files
 please help me to identify them
thanks
0
 
LVL 27

Assisted Solution

by:Lukasz Chmielewski
Lukasz Chmielewski earned 250 total points
ID: 35093836
Well, this is not so simple as you would have to know what file and which section is changed.
My advice is that you should install new, clean wordpress just next to the existing one (with a different database) and compare the files from your existing installation to a new one. This seems to be the only way to determine which of them are bad and which sections should you delete.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 10

Assisted Solution

by:c_a_n_o_n
c_a_n_o_n earned 125 total points
ID: 35094336
Roads Roads is absolutely correct.  It may not have answered your question, however, those compromised files are likely your cause.  Immediately change your FTP password.  Backup your site as is. Use FTP to copy a fresh, ideential version of WordPress over your existing install overwriting all Wordpress files.  With the FTP connection, navigate to your plugins directory. move them to another folder so that they don't get activated when you attempt to login.  

If you still cannot login, your .htaccess file (if you have one) in the wp-admin file may have been altered.  Rename it temporarily.  Try again.

If you still cannot login, your database may have been compromised.  That is a whole different problem.

Start downloading replacement plugins.  Activate one by one.  For those that are customized, work with them last, but chances are your plugins are also compromised.
0
 

Author Comment

by:elainem
ID: 35094457
ok - between the first and most recent comment above, I managed to access the admin in wordpress - updated wordpress hoping the compromised files would be replaced - don't think it worked! I' try the to save the database and do as you suggest.

HOWEVER..........

our website is also infected with malware. I think I've managed to remove it - at least what I can identify - but I have some clever and very persistent hacker here! And yes, I have changed passwords - many times.
0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 35094724
Is this a remote hosting ?
0
 

Author Comment

by:elainem
ID: 35095002
the wordpress blog is hosted through our website which is hosted on an apache server (I think) with primus. I access the back end for the website and wordpress through cpanel.
0
 
LVL 31

Expert Comment

by:gwkg
ID: 35095812
0
 
LVL 31

Assisted Solution

by:gwkg
gwkg earned 125 total points
ID: 35095837
You can always check svn to see anything in the file has changed from the original

http://svn.automattic.com/wordpress/trunk/wp-admin/js/revisions-js.php
0
 
LVL 7

Expert Comment

by:rgranlund
ID: 35096061
Have you reached out to Wordpress and the Forum there?  There maybe a know risk.  Maybe after installation some files were left writable?
0
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 36508835
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Now that you've installed WordPress 2.9 (http://www.experts-exchange.com/articles/Web_Development/Blogs/WordPress/WordPress-2-9-What-to-Expect-When-Upgrading-to-WordPress-2-9.html?) on your site, you need to install some plugins to get the most out …
If you are looking for plug-ins to add functions to your WordPress small business web site, take some time to read though this comprehensive list.  These are all the plugins I use for my customers WordPress web sites, as well as my own.  Be sure to …
The purpose of this video is to demonstrate how to make a WordPress Site faster and smaller in size by cleaning up the database. This will be demonstrated using a Windows 8 PC. Plugin WP Optimize will be used. Go to your WordPress login page. T…
The purpose of this video is to demonstrate how to Import and export files in WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Click on Too…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question