Comments on: How to find a backdoor in a hacked WordPress

By: Tony Payne

Tony Payne — Mon, 30 Jan 2012 14:29:41 +0000

Same problem here in the last week Rob. All my web sites (12), both WordPress and HTML hard coded got hacked with what is probably the same Bot.

I identified the files that contained the “base64_decode” text and script, edited them using Filezilla, thought I had all but one site back up, and now they are all infected again.

I purchased a new hosting account with a different company in October and haven’t yet transferred the domains across. This seems like a good time to do so, and hopefully I can salvage the many posts that I have written.

This is so extremely frustrating and time consuming, and you can’t just fix things until you know exactly what is wrong, and how to prevent it from happening again.

By: My final Wordpress security solution

My final Wordpress security solution — Tue, 06 Dec 2011 10:35:42 +0000

[...] http://ottopress.com/2009/hacked-wordpress-backdoors/ [...]

By: lajme

lajme — Mon, 21 Nov 2011 18:00:36 +0000

Cleaning a 3 GB space in my host is killing me, and i can not find the source of infection for 3 weeks. Damn. Thank you for the post, now i have few more places to look

By: Sécuriser Wordpress, Cpanel et WHM.

Sécuriser Wordpress, Cpanel et WHM. — Mon, 07 Nov 2011 11:23:11 +0000

[...] WordPress : 6 stratégies pour rester serein10 WordPress security tips that could save your sitehttp://ottopress.com/2009/hacked-wordpress-backdoorshttp://wordpress.org/support/topic/wp-blog-hacked-ksa-userC’est comme les accidents de la [...]

By: Peter

Peter — Tue, 11 Oct 2011 00:34:40 +0000

Hi Otto,
I have found a suspicious file that is a jquery.js file in the wp-includes/js folder and it contains a large array of numbers with none of the usual header comments about the author etc. The normal location for jquery.js is in the wp-includes/js/jquery

My concern is that it seems to have been brought in by something like a plugin but I need to work out where it came from? I have not been able to find it in any of the plugin files downloaded and installed so I am assuming it has been generated by an installation. The puzzle is that we use WordPress File Monitor that logs all changed and added files, but there is no record of it being added. If it was generated by a plugin it should have shown on file monitor as an added file?

I would appreciate any suggestions you have.
Kind regards, Peter

By: otto maniani

otto maniani — Sun, 25 Sep 2011 12:46:23 +0000

hi,
my wordpress site got hacked too, i don’t know how to repair it, because i’m not a programmer which can understand piece of coding. my site ramsite.info got hacked till now, and i cant resolve it even i reset my wp instalation..

By: Kim

Kim — Fri, 23 Sep 2011 09:16:45 +0000

So this is probably dodgy? My site was hacked by the Saudi Arabia hacker last night. This is in the wp-admin/css folder and is called system-in.php. Here is the first bit of the file. I’m thinking they got into my google account, and I have all my log ins and passwords in a shared file in google docs. Will remove it now )

$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=59080;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0

By: Samuel B on "feed is hacked how to fix it" | Upgrade Wordpress Now

Samuel B on "feed is hacked how to fix it" | Upgrade Wordpress Now — Tue, 20 Sep 2011 17:31:35 +0000

[...] http://ottopress.com/2009/hacked-wordpress-backdoors/ [...]

By: How was my WP site hacked | SeekPHP.com

How was my WP site hacked | SeekPHP.com — Fri, 19 Aug 2011 15:31:59 +0000

[...] Then take a look at these links:http://ottopress.com/2009/hacked-wordpress-backdoors/http://wordpress.org/support/topic/268083#post-1065779http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/ [...]

By: Rob Venter

Rob Venter — Fri, 08 Jul 2011 12:56:01 +0000

I have the same “eval(base64_decode” as Cecilia Tan. It runs on my index.php file inside the main wordpress folder and it also runs on the copy of that index.php in my site’s root folder.

All the wordpress sites on my hosting account have been hacked. There are about 10 websites. I scanned my harddrive, deleted all ftp software, changed all passwords including my cpanel password, ftp, and wordpress passwords. I even deleted some of the websites and databases. But the code reappeared when I created brandnew databases and reuploaded the websites on fresh wp installs. (I reuploaded my themes folder).

I’m sure this means that there’s a backdoor in my wp-content folder, possibly my themes folder. Only thing is, I can’t find it.

The thing is, if I register a new domain in my hosting account and install wordpress (manually or via cpanel) I can guarantee I will have the same thing happen within 24 hours. I’ve done this a few times lately.

What do I do?

Thanks so much.
Rob