Wordpress hacked / infected with 'Silence is golden' code

[Dicebat]

Hoping one of you gurus can help me out here

One of my websites got hacked or infected (unsure what it actually is) last week. After I experienced some strange admin panel behavior I had a feeling that every directory's index.php file was affected (as those are the files hackers usually sort of 'deface' in Wordpress and alas, it was!

Every index.php in my wordpress directories contained the following line of code (and nothing else - everything else had been wiped):

Code:

<?php
// Silence is golden.
?>

Here are the steps I've taken in an attempt to fix it:

* deactivated all my plugins
* uninstalled a theme I recently installed (and completely removed it)
* Backed up my database tables (.sql file)
* backed up my plugins and images folders
* Wiped everything off the server
* Re-installed wordpress & uploaded backups
* Imported sql database tables

The site's admin side is still acting up while the front end seems fine. I checked the index.php files again and they still contain the above 'silence is golden' line of code.

How can this be? I have a fresh Wordpress installation directly from Wordpress.org...? I haven't activated the plugins either... It can't be my plugins because I've been using the very same set of plugins and have kept them updated for 2 years without hassles.

There is something fishy in the database tables though... I noticed a table called fssstats among all the wp_tables... I was wondering whether it might be an sql injection infecting my index.php files?

I also extracted the Wordpress installation package onto my local HDD in an attempt to FTP the individual index.php files but when I checked the freshly unzipped Woedpress folders out of curiosity... I noticed that they also contained.......................

Code:

<?php
// Silence is golden.
?>

What the hell is going on!?

------------------------------------------------------------

[froot]

This is an old hack...

http://wordpress.org/support/topic/a...ence-is-golden

http://www.webdeveloper.com/forum/sh...d.php?t=215939

http://lorelle.wordpress.com/2009/09...-under-attack/

[ghoti]

Are you using an outdated version for timthumb? So many wordpress sites are getting hacked cause of that. If I was you I would replace the entire website. Chances are almost every file has a backdoor. You basically need to reinstall everything:

http://smackdown.blogsblogsblogs.com...-installation/

Delete every file you have and reinstall (you can keep the database, just change the username and password for it).

Then get the timthumb vulnerability scanner. It its the #1 way hackers are exploiting wordpress these days.

[AcidRaZor]

Also, and this might be the important one: change your password?

[froot]

Also, and this might be the important one: change your password?

That's what the threads also say you should do.

[byron_spy]

Always keep a up to date backup of your site on your local machine and then password wise as difficult as possible

What word press version are you using ? Please list all plugins as well and what is your current site url ?

[froot]

What word press version are you using ? Please list all plugins as well and what is your current site url ?

You sound like you want to try that exploit too

[byron_spy]

You sound like you want to try that exploit too

Loool nah actually want to help the poor guy

I have exploited so much its not funny anymore

[thisgeek]

Um.. Actually, there are index.php files with

Code:

<?php
// Silence is golden
?>

in them in the wordpress directories under wp-content, so that if your web server is not properly secured, if people try and list the directory contents of folders there, they will just get a blank page instead. THIS IS NORMAL!

The "hack" that they are referring to is if there is an 'eval(base64_decode('blahblah')' bit in the file as well.

http://wordpress.org/support/topic/s...content-folder

http://www.shinephp.com/silence-is-golden/

[byron_spy]

Its not hacked if your site still works

[Bar0n]

Its not hacked if your site still works

No, it looks pretty hacked to me.

[byron_spy]

No, it looks pretty hacked to me.

Whats his url ?

[Bar0n]

Whats his url ?

Does it matter?

[byron_spy]

Does it matter?

Well I wanted to see the "skills" in working but its ok

[Dicebat]

Um.. Actually, there are index.php files with

Code:

<?php
// Silence is golden
?>

in them in the wordpress directories under wp-content, so that if your web server is not properly secured, if people try and list the directory contents of folders there, they will just get a blank page instead. THIS IS NORMAL!

The "hack" that they are referring to is if there is an 'eval(base64_decode('blahblah')' bit in the file as well.

http://wordpress.org/support/topic/s...content-folder

http://www.shinephp.com/silence-is-golden/

Wow okay, that changes things...

The problem is that I am sitting with a back end that's white with blue outlines... instead of the traditional gradient-ish grey which wordpress is...

It almost seems as if CSS stylesheets are missing. I've uploaded the original (for the themes I use) to no avail.

The site is working... to a certain extent I guess. I've re-installed Wordpress 3.3.1 but still need to do a few more things before the front end is up and running again (I always install wordpress in a subdirectory and never the root).

Anyway, to the point this is what the backend looked like and STILL looks like after the re-install:

http://www.boxofinsight.com/wp-conte...03/Capture.png