Wordpress hacked / infected with 'Silence is golden' code

Dicebat

Well-Known Member
Joined
Mar 15, 2010
Messages
160
Hoping one of you gurus can help me out here :crying:

One of my websites got hacked or infected (unsure what it actually is) last week. After I experienced some strange admin panel behavior I had a feeling that every directory's index.php file was affected (as those are the files hackers usually sort of 'deface' in Wordpress and alas, it was!

Every index.php in my wordpress directories contained the following line of code (and nothing else - everything else had been wiped):

Code:
<?php
// Silence is golden.
?>
Here are the steps I've taken in an attempt to fix it:

* deactivated all my plugins
* uninstalled a theme I recently installed (and completely removed it)
* Backed up my database tables (.sql file)
* backed up my plugins and images folders
* Wiped everything off the server
* Re-installed wordpress & uploaded backups
* Imported sql database tables

The site's admin side is still acting up while the front end seems fine. I checked the index.php files again and they still contain the above 'silence is golden' line of code.

How can this be? I have a fresh Wordpress installation directly from Wordpress.org...? I haven't activated the plugins either... It can't be my plugins because I've been using the very same set of plugins and have kept them updated for 2 years without hassles.

There is something fishy in the database tables though... I noticed a table called fssstats among all the wp_tables... I was wondering whether it might be an sql injection infecting my index.php files?

I also extracted the Wordpress installation package onto my local HDD in an attempt to FTP the individual index.php files but when I checked the freshly unzipped Woedpress folders out of curiosity... I noticed that they also contained.......................

Code:
<?php
// Silence is golden.
?>
:mad:

What the hell is going on!?

------------------------------------------------------------
 

ghoti

Karmic Sangoma
Joined
Jan 17, 2005
Messages
45,731
Are you using an outdated version for timthumb? So many wordpress sites are getting hacked cause of that. If I was you I would replace the entire website. Chances are almost every file has a backdoor. You basically need to reinstall everything:

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

Delete every file you have and reinstall (you can keep the database, just change the username and password for it).

Then get the timthumb vulnerability scanner. It its the #1 way hackers are exploiting wordpress these days.
 
Last edited:

byron_spy

Expert Member
Joined
Nov 9, 2010
Messages
1,078
Always keep a up to date backup of your site on your local machine and then password wise as difficult as possible

What word press version are you using ? Please list all plugins as well and what is your current site url ?
 

thisgeek

Expert Member
Joined
Apr 22, 2005
Messages
3,372
Um.. Actually, there are index.php files with

Code:
<?php
// Silence is golden
?>
in them in the wordpress directories under wp-content, so that if your web server is not properly secured, if people try and list the directory contents of folders there, they will just get a blank page instead. THIS IS NORMAL!

The "hack" that they are referring to is if there is an 'eval(base64_decode('blahblah')' bit in the file as well.

http://wordpress.org/support/topic/silence-is-golden-strange-indexphp-file-shows-up-in-wp-content-folder

http://www.shinephp.com/silence-is-golden/
 
Last edited:

Dicebat

Well-Known Member
Joined
Mar 15, 2010
Messages
160
Um.. Actually, there are index.php files with

Code:
<?php
// Silence is golden
?>
in them in the wordpress directories under wp-content, so that if your web server is not properly secured, if people try and list the directory contents of folders there, they will just get a blank page instead. THIS IS NORMAL!

The "hack" that they are referring to is if there is an 'eval(base64_decode('blahblah')' bit in the file as well.

http://wordpress.org/support/topic/silence-is-golden-strange-indexphp-file-shows-up-in-wp-content-folder

http://www.shinephp.com/silence-is-golden/
Wow okay, that changes things...

The problem is that I am sitting with a back end that's white with blue outlines... instead of the traditional gradient-ish grey which wordpress is...

It almost seems as if CSS stylesheets are missing. I've uploaded the original (for the themes I use) to no avail.

The site is working... to a certain extent I guess. I've re-installed Wordpress 3.3.1 but still need to do a few more things before the front end is up and running again (I always install wordpress in a subdirectory and never the root).

Anyway, to the point this is what the backend looked like and STILL looks like after the re-install:

http://www.boxofinsight.com/wp-content/uploads/2012/03/Capture.png
 
Top