Got yourself a wordpress install? Confounded by some irritating gzunzip error messages in your dashboard (around line 1787 or somewhere)? You may have been hacked.
As far as I can tell, the hack simply adds a whole bunch of links to other websites – not harming visitors to your websites, but certainly make you party to some google fiddling (not that google will blame you, so no panic).
How can you check? well, if you’re techy, stick around… (and for non-techies, there’s simpler solution: find someone technical.)
Step 1 is to confirm you’ve been hacked, head into your Theme Editor and edit the first .php file you see (maybe post.php)
If you see a line like:
Followed by a whole bunch of letters (aWYoZnVuY3Rpb25fZXhpc3RzKCd …etc…) then you’re almost certainly looking at a hack. If you copy the text between the quote marks (so pretty much all of the goody letters) you can then go to a website like http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/ where you can then paste the text into the text area – press decode and hey presto! it’ll tell you want the secret letters are actually doing. Now, you’ll probably not understand a lot of it (it’s some pretty dense php code) but you should see something like:
(I’ve spaced this out to make it readable, but in the code it’s all one long, long line.
The bit you want to look at is the file mentioned in file_exists – this is the actual trojan horse/malware – it’s the bit of code that’s injecting lots of crap into your wordpress – and throwing up those irritating error messages.
You can then either contact your webserver admin guys and ask them to delete that file or go into your server and delete it yourself (or, for fun, replace the code within with “Hello World!” – then visit your site to see just how much that file is used).
Step 2, upgrade your wordpress. If it’s really old you’ll have to do it manually, if it’s new you can do it right away. This should stop the code getting reinjected into your system. Next step is to delete and replace any customised themes, these are likely to have had code injected to call that file.
Step 3, check all of your plugins to see if they have the
/**/eval code – if they do, delete it.
Step 4 – well, there is no step four. I’m not sure if all of the above will completely blitz the stuff from your system (I worked in tech support for years, but have been desperately trying to get away from it, so this post is as techy a thing as I’ve done in over a year.)
Hope that helps – if not sort your problem, at least solve the conundrum of