Facebook   Twitter    YouTube    RSS Feed    Android App    iPhone and iPad App     BlackBerry App    
Subscribe to Newsletter



Results 1 to 15 of 15

Thread: Wordpress hacked / infected with 'Silence is golden' code

  1. #1

    Exclamation Wordpress hacked / infected with 'Silence is golden' code

    Hoping one of you gurus can help me out here

    One of my websites got hacked or infected (unsure what it actually is) last week. After I experienced some strange admin panel behavior I had a feeling that every directory's index.php file was affected (as those are the files hackers usually sort of 'deface' in Wordpress and alas, it was!

    Every index.php in my wordpress directories contained the following line of code (and nothing else - everything else had been wiped):

    Code:
    <?php
    // Silence is golden.
    ?>
    Here are the steps I've taken in an attempt to fix it:

    * deactivated all my plugins
    * uninstalled a theme I recently installed (and completely removed it)
    * Backed up my database tables (.sql file)
    * backed up my plugins and images folders
    * Wiped everything off the server
    * Re-installed wordpress & uploaded backups
    * Imported sql database tables

    The site's admin side is still acting up while the front end seems fine. I checked the index.php files again and they still contain the above 'silence is golden' line of code.

    How can this be? I have a fresh Wordpress installation directly from Wordpress.org...? I haven't activated the plugins either... It can't be my plugins because I've been using the very same set of plugins and have kept them updated for 2 years without hassles.

    There is something fishy in the database tables though... I noticed a table called fssstats among all the wp_tables... I was wondering whether it might be an sql injection infecting my index.php files?

    I also extracted the Wordpress installation package onto my local HDD in an attempt to FTP the individual index.php files but when I checked the freshly unzipped Woedpress folders out of curiosity... I noticed that they also contained.......................

    Code:
    <?php
    // Silence is golden.
    ?>


    What the hell is going on!?

    ------------------------------------------------------------
    Dream the Intel machine,Possess the Android device DICEBAT!
    Have you Headbanged Today?
    mma site for sale? MMA South Africa

  2. #2
    Super Grandmaster
    Join Date
    Jun 2009
    Location
    Snorries
    Posts
    10,319
    Last edited by froot; 27-03-2012 at 08:43 AM.
    Quote Originally Posted by Rickster View Post
    Why is everyone going ape **** over this car, it looks like junk and the performance must be too.
    Quote Originally Posted by KSINGH View Post
    Oh no you didn't

  3. #3
    Karmic Sangoma ghoti's Avatar
    Join Date
    Jan 2005
    Location
    Hotel California
    Posts
    40,480
    Blog Entries
    9

    Default

    Are you using an outdated version for timthumb? So many wordpress sites are getting hacked cause of that. If I was you I would replace the entire website. Chances are almost every file has a backdoor. You basically need to reinstall everything:

    http://smackdown.blogsblogsblogs.com...-installation/

    Delete every file you have and reinstall (you can keep the database, just change the username and password for it).

    Then get the timthumb vulnerability scanner. It its the #1 way hackers are exploiting wordpress these days.
    Last edited by ghoti; 27-03-2012 at 09:01 AM.
    "To live is the rarest thing in the world. Most people exist. That is all..." - Oscar Wilde

  4. #4

    Default

    Also, and this might be the important one: change your password?

  5. #5
    Super Grandmaster
    Join Date
    Jun 2009
    Location
    Snorries
    Posts
    10,319

    Default

    Quote Originally Posted by AcidRaZor View Post
    Also, and this might be the important one: change your password?
    That's what the threads also say you should do.
    Quote Originally Posted by Rickster View Post
    Why is everyone going ape **** over this car, it looks like junk and the performance must be too.
    Quote Originally Posted by KSINGH View Post
    Oh no you didn't

  6. #6

    Default

    Always keep a up to date backup of your site on your local machine and then password wise as difficult as possible

    What word press version are you using ? Please list all plugins as well and what is your current site url ?

  7. #7
    Super Grandmaster
    Join Date
    Jun 2009
    Location
    Snorries
    Posts
    10,319

    Default

    Quote Originally Posted by byron_spy View Post
    What word press version are you using ? Please list all plugins as well and what is your current site url ?
    You sound like you want to try that exploit too
    Quote Originally Posted by Rickster View Post
    Why is everyone going ape **** over this car, it looks like junk and the performance must be too.
    Quote Originally Posted by KSINGH View Post
    Oh no you didn't

  8. #8

    Default

    Quote Originally Posted by froot View Post
    You sound like you want to try that exploit too
    Loool nah actually want to help the poor guy

    I have exploited so much its not funny anymore

  9. #9

    Default

    Um.. Actually, there are index.php files with

    Code:
    <?php
    // Silence is golden
    ?>
    in them in the wordpress directories under wp-content, so that if your web server is not properly secured, if people try and list the directory contents of folders there, they will just get a blank page instead. THIS IS NORMAL!

    The "hack" that they are referring to is if there is an 'eval(base64_decode('blahblah')' bit in the file as well.

    http://wordpress.org/support/topic/s...content-folder

    http://www.shinephp.com/silence-is-golden/
    Last edited by thisgeek; 27-03-2012 at 10:51 AM.

  10. #10

    Default

    Its not hacked if your site still works

  11. #11
    Grandmaster Bar0n's Avatar
    Join Date
    Nov 2010
    Location
    Hopping from one vertex to the next
    Posts
    3,729

    Default

    Quote Originally Posted by byron_spy View Post
    Its not hacked if your site still works
    No, it looks pretty hacked to me.

  12. #12

    Default

    Quote Originally Posted by Bar0n View Post
    No, it looks pretty hacked to me.
    Whats his url ?

  13. #13
    Grandmaster Bar0n's Avatar
    Join Date
    Nov 2010
    Location
    Hopping from one vertex to the next
    Posts
    3,729

    Default

    Quote Originally Posted by byron_spy View Post
    Whats his url ?
    Does it matter?

  14. #14

    Default

    Quote Originally Posted by Bar0n View Post
    Does it matter?
    Well I wanted to see the "skills" in working but its ok

  15. #15

    Default

    Quote Originally Posted by thisgeek View Post
    Um.. Actually, there are index.php files with

    Code:
    <?php
    // Silence is golden
    ?>
    in them in the wordpress directories under wp-content, so that if your web server is not properly secured, if people try and list the directory contents of folders there, they will just get a blank page instead. THIS IS NORMAL!

    The "hack" that they are referring to is if there is an 'eval(base64_decode('blahblah')' bit in the file as well.

    http://wordpress.org/support/topic/s...content-folder

    http://www.shinephp.com/silence-is-golden/
    Wow okay, that changes things...

    The problem is that I am sitting with a back end that's white with blue outlines... instead of the traditional gradient-ish grey which wordpress is...

    It almost seems as if CSS stylesheets are missing. I've uploaded the original (for the themes I use) to no avail.

    The site is working... to a certain extent I guess. I've re-installed Wordpress 3.3.1 but still need to do a few more things before the front end is up and running again (I always install wordpress in a subdirectory and never the root).

    Anyway, to the point this is what the backend looked like and STILL looks like after the re-install:

    http://www.boxofinsight.com/wp-conte...03/Capture.png
    Dream the Intel machine,Possess the Android device DICEBAT!
    Have you Headbanged Today?
    mma site for sale? MMA South Africa

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •