-3

I have just inherited a running wordpress installation from another agency and the theme (twentyeleven) they are using for my client has been corrupted. This is what most of the theme's php files looks like at the beginning of the file:

enter image description here

What kind of attack is this? How do I identify it? And what steps should I take now?

Amit Erandole
  • 129
  • 4
  • 1
    It's not really corrupted, it seems like it's obfuscated - could be from a hacker, or the agency is trying to pull your leg.. – BrownEyes Jan 21 '14 at 14:00
  • Can you explain more about how this is 'obfuscated'? And this keeps coming in repeatedly even after we try to clean it - What should I do? – Amit Erandole Jan 21 '14 at 14:13
  • 1
    Sounds like there is a script running somewhere in your website that keeps checking to see if someone tries to fix the code. I suggest a clean WP install, then installing the theme after cleaning it from this code and see if the problem persists. – BrownEyes Jan 21 '14 at 14:16
  • 3
    You have provided no useful information, all anyone can tell you is that the "the attack" resulted in remote code execution. Probably started from timthumb or just neglecting basic security practices like **UPDATES**, and now your website is backdoored all to hell and re-sold on the blackmarket. Enjoy! – rook Jan 21 '14 at 17:27

2 Answers2

1

It's obfuscated code. Someone has gained access to the server, and has inserted some code into the top, which they have encoded as unicode strings and PHP tricks etc.

As to what to do, you need to secure whatever hole the attacker got in through, change all passwords etc, and then you can take one of two approaches:

  • Carefully remove any and all malicious code from your theme, and Wordpress install as a whole - This is a difficult approach, because it requires you to spot every last bit of the code, and remove it safely without breaking your install. It needs significant experience and technical skill.

  • Rebuild from scratch. This is usually a good approach with Wordpress because themes should be backed up from original development, and a fresh install is easy enough to install and import data into, and then you just have to be careful about the data you import.

The main point though, is that someone got in to your site somehow, and it could be through a load of different attack vectors. At the least you should:

  • Change all passwords for accounts
  • Review logs of SSH, FTP and all other services that allow a log in to your system, looking for suspicious activity that may lead you to how the attacker got in
  • Review configuration for all Daemons and servers, and make sure all is up to date, including the distro itself
  • Consider extra security precautions like 2 factor authentication, changing default ports, using software firewalls, and things like DenyHosts.

Once that's all done, keep a close eye on the system, and backup regularly, but don't delete old backups for some time (nothing worse than backing up carefully, getting hacked and discovering that your only remaining backups are also comprimised).

Attackers will often target systems they have got into before, so monitoring is a key aspect of your strategy from now on.

Owen
  • 1,066
  • 5
  • 9
  • I would suggest starting from scratch on a new machine, porting over data as you review it. You never know what's been done on a compromised machine. – Xiong Chiamiov Jan 27 '14 at 03:38
  • Yeah, mostly so would I, but this is obviously a balance of time and cost vs benefit – Owen Jan 27 '14 at 11:02
0

You could crack the encryption, because the key is near the cryptotext inside the malicious code.

You could decrypt the whole malicious php injection to understand what exactly it is.

In the plain text you will found your attacker or redirection on malicious cloackers.

If you don't know how paste.bin here.

Anomalous Awe
  • 51
  • 3