home

yet another variant of the WordPress Viagra hack and how to fix it

The Symptom

A fake Viagra ad appeared at the top of the affected site, under the "title-area" and "site-title" HTML / CSS classes. The ad was a link, but the links went to seemingly random places having nothing to do with Viagra. I suspect the objective was a black hat SEO linking scheme.

Finding and Fixing

In this variant, the hacker used strrev, so the best search key through your PHP files is "edoced_46esab" (base64_decode in reverse).

• The hacks were to all of the "functions.php" files under the various themes under <WORDPRESS_HOME>/wp-content/themes.
• I show the actual inserted code below
• You must get rid of the hacked / inserted code from all the functions.php files.
• Deleting the themes through the front end will probably not work.
• Also, it seems deleting allegedly unused themes from the back end may not work, because Genesis seems to depend on some of them. (Or, perhaps, more specifically, whatever Genesis doesn't modify is modified by other themes.)

The affected files were indeed some of the latest timestamps in my web tree; specifically, 2014-Dec-15 06:37:42 EST as of Feb 11, 2015. So searching for recently modified files might work.

The hack worked in Firefox (v34) but not Chromium for Linux (v39).

Previous References

Dyslexic Mayans... gave me insight into what I was looking for. Also, at a glance, "my" hacked code is very similar to his. He narrates the hack itself.

Regarding "CDATA"

In the code below, the "CDATA" begin and end tags (as shown in the WikiP) have nothing to do with the hack or PHP in general. I include them so this page is XHTML / XML valid.

the hack itself

Below is the actual hack to functions.php. Get rid of the first php block before the php block with legitimate code. Commenting out may not work because my FireFTP refused to transfer the malware. Scroll to the bottom to see the now-infamous-to-me "edoced_46esab" and of course "lave" instead of "eval."

to decode the hack:

the decoded hack

very brief commentary

It is remotely possible that the ASCII "garbage" isn't garbage, but I'll let you decode and ponder that--exercise to the reader. Beyond that, see the Dyslexic Mayans link above.

How this Happened

The owner of the affected site got a Windows virus weeks before the hack. I suspect the site's FTP password was stolen at that point.

With that said, I need to look at the Apache access and error logs for the relevant timestamp. Unfortunately, I do not have access to "syslog," "auth.log," and other Linux files. The site is on a shared host.

Disclaimer about both WordPress and Viagra

This incident is very unlikely to be WordPress' "fault." It was probably a hack at the FTP level, which WordPress has no control over.

As for Viagra, the links didn't go to pages having anything to do with Viagra. I otherwise have no reason to believe the makers of Viagra had anything to do with this.

Page History

• posted 2015/02/19 1:10am EST