62.gif

Search (advanced search)
Use this Search form before posting, asking or make a new thread.
Tips: Use Quotation mark to search words (eg. "How To Make Money Online")

02-12-2016, 08:09 AM
Post: #11
RE: Have I been hacked? PHP script in core wordpress file
last thing , reply to 2nd poster , the site was not hacked the theme ,plugin was cracked by a cracker and he him self modified the code so people install it without knowing anything and what this shit does is , force re-directs users to his money site , to gain free traffic.
02-15-2016, 09:25 PM
Post: #12
RE: Have I been hacked? PHP script in core wordpress file
(02-12-2016 08:06 AM)hanna21 Wrote:  here is more code to search

Quote: eval(gzinflate(base64_decode('Code')))
eval(gzinflate(str_rot13(base64_decode('Code'))))
eval(gzinflate(base64_decode(str_rot13('Code'))))
eval(gzinflate(base64_decode(base64_decode(str_rot13('Code')))))
eval(gzuncompress(base64_decode('Code')))
eval(gzuncompress(str_rot13(base64_decode('Code'))))
eval(gzuncompress(base64_decode(str_rot13('Code'))))
eval(base64_decode('Code'))
eval(str_rot13(gzinflate(base64_decode('Code'))))
eval(gzinflate(base64_decode(strrev(str_rot13('Code')))))
eval(gzinflate(base64_decode(strrev('Code'))))
eval(gzinflate(base64_decode(str_rot13('Code'))))
eval(gzinflate(base64_decode(str_rot13(strrev('Code')))))
eval(base64_decode(gzuncompress(base64_decode('Code'))))
eval(gzinflate(base64_decode(rawurldecode('Code'))))
eval(str_rot13(gzinflate(str_rot13(base64_decode('Code')))))


like i said catch up to what i said , if you want me to do pay for my time contact me hanna21460

Thanks a lot for your reply.

I've put the code
PHP Code:
find . -name "*.php" -print0 xargs -0 egrep -'eval\(base64_decode\(' >> infectedfiles.txt 

in Putty ssh, I made sure I was in the correct directory, this code created the file infectedfiles.txt correctly as you said however it did not get any text put inside this file.

Even if I search something I know for sure is in a php file it still does not find it and put it in infectedfiles.txt so I am not sure what is going on with this?

For example:
PHP Code:
find . -name "*.php" -print0 xargs -0 egrep -'global $blog_id;' >> infectedfiles.txt 

I know global $blog_id; is in wp-settings.php but it doesn't find it in Putty?

I do have multiple wordpress sites hosted in subdirectories on the server. It appears that the infected code had got into every single nav-menu.php on the server somehow, I have reinstalled Wordpress and deleted any suspicious plugins/themes.

Thanks




87.gif