[wp-hackers] Fwd: [Webmaster Central Help] Site hacked.

Malaiac malaiac at gmail.com
Fri Nov 27 09:14:37 UTC 2009


Regarding http://www.google.com/support/forum/p/Webmasters/thread?fid=2bb823d5af6173a00004794fff8f89b7&hl=en

it seems this is an exploit from older versions of WP.

One of my sites had been hacked with it. Upgrading to 2.8.6 and
overwriting the wp-settings.php file did the job.

M

---------- Forwarded message ----------
From: Google Help <noreply at google.com>
Date: 2009/11/27
Subject: Re: [Webmaster Central Help] Site hacked. Search results
says: "Buy Cheap Viagra Online - Are You Looking For The Cheapest
Viagra ..."
To: malaiac at gmail.com


DerickSchaefer has posted an answer to the question "Site hacked.
Search results says: "Buy Cheap Viagra Online - Are You Looking For
The Cheapest Viagra ..."":

ingenuityworks, JRod and I found the code in side of WP-SETTINGS.PHP
the guidance provided by redleg. Basically, we went into a UNIX shell
and did a find command on all .PHP files that had the phrase
'base64_decode' in it. Three files surfaced and the obvious one was
the one that had the huge ugly string of funny characters in it. In
our case this was WP-SETTINGS.PHP. This could differ in your case.

Two solutions that you can't hurt yourself in trying. One, replace
wp-settings.php or simply upgrade WordPress to the next version.

If you want to search your files and find exactly where this is, go to
a UNIX shell and use the "cd" command to get where your wordpress
files are. For example, cd www <return> and then run a GREP command
like grep "base64_decode" *.php and it will tell you what it sees.

Great thread here guys and thanks to all who helped as this was a
nasty little virus to snoop out and get rid of.

View this question at the Google Help Forum
Unsubscribe from answers to this question


More information about the wp-hackers mailing list