Skip to:

I’ve got a worm.

  • gregfielding


    So, I’ve got a worm.

    I’m not sure where I picked it up…and I’m not suggesting it has anything to do with BP. But, because a lot of you run BP & MU communities, I’m hoping you might be able to help, and certainly be on the lookout for this in your communities.

    I started getting code inserted into the functions.php files of my themes. I noticed it first on my main site, because it went white-screen on me.

    At first, I thought that it was a parent-child theme issue, because some of the code from my child theme functions.php was duplicated up to the parent theme, then throughout every theme in my install. (300+)

    Digging deeper, I found the evil code. I see it from time to time in various functions.php files in my install. So far, I can’t get rid of it.

    I googled snips of the code and found a forum thread where someone else had the exact same virus attack their community. The recommendation there was “shut the site down”. Obviously, that’s not what i want to hear.

    Here is the link to that discussion.

    And, here is the evil code itself.

    Anyone had any experience with this?

Viewing 14 replies - 1 through 14 (of 14 total)
  • Wont help and might be obvious but the absolutely vital and most urgent issue to tackle when a server is compromised is that you MUST identify the means of exploit, work out just how this has happened and close that vulnerability – start trawling through your log files for starters. To be able to inject code directly to a functions.php file is more than a little worrying. If there is a exploit out there it needs to be identified and reported to the core dev team to investigate and patch.

    Edit/ ok so it appears less an exploit than simply malicious code in a particular theme, for which there is little protection against really as in reality you have uploaded bad code on to your server yourself rather than the bad code needing to find a means of gaining access to the server.

    You are going to have to identify what theme is the culprit which given you have so many is going to be painful but it’s likely going to be one of the last that you uploaded, also you can probably discount any themes that are well known and reputable i.e are rated and listed on WP.

    P.S I would remove the patebin code fairly soon after perhaps one or two more experienced BP/WP hands have had a peep, one doesn’t want to make public malicious code?

    hnla – there’s a hack going aroudn where they inject code in clean themes & files.

    Greg – to clean this up is going to take a bit of time. You have to remove all the files and replace them with clean fresh ones. get a new zip of mu, new zips of your themes, etc…

    Before you do that, change every single password you have. Hacks like this they either lift your ftp password or they got into the box (server) itself.

    @andrea_r Ok then that’s not so funny, although reading a few of those posts in the link you provided do seem to suggest that the hacks were in a uploaded free theme.

    If it’s a ftp compromise it’s really about time ftp was simply forbidden or retired :), such an insecure means of accessing a server especially when there are many far more secure protocols around such as sftp



    Thanks @andrea_r
    I’ve changed every password and am working on loading in a fresh MU install, then I’ll start working on themes.


    @gregfielding you have my sympathy for the task ahead it’s a major PITA. Interested in whether you have identified the manner through which you were hacked though, was it indeed via ftp or some other similar unauthorised access of your server?




    I don’t know yet. I’ve been good about using strong passwords and changing them every so often. And, I’m on a dedicated server, not shared.

    I’m running some scans now on my local computer to see if anything there has grabbed my ftp info.

    At this point, my best guess is something in a theme or plugin that I’ve installed, but I’ve tried to be very careful about only installed stuff from reputed places.

    My problem now is that, I’ve got to find it and kill it or it will just start up again.

    That’s the rub it’s why it’s so important to identify how it’s happened, good that you have a dedicated server though as that means you can harden security once things have been cleared up, I like vsftpd as a ftp program considered to be amongst the most secure and set up with virtual users jailed to directories and sftp. Good luck identifying it, keep the thread updated.

    @gregfeilding time to dig in the access logs. see if you can find the dates on the extra files, or on the changed files & cross-check them with the access logs at the same time.

    I do know of someone who got hacked via *Windows* which them infected his installs via his ftp program. most of the hacks fo this type that I have seen haven;t been via any wordPress files, but the box itself or hacking the ftp password. Use sftp instead.




    So far, my desktop is clean…no viruses. My passwords are changed.

    I’ve installed all new MU files and tried to run the Exploit Scanner, but getting an “out of memory” error…likely from the worm using up my memory.

    From what I can tell so far, the infection seems limited to the functions.php files of my themes. But, of course, it could be disguised as anything deep in my database somewhere.

    The challenge i have is that I can’t delete the code fast enough…By the time I’m on the 11th theme, the first 10 are infected again.

    I do have an idea…if I clean up the functions.php file, then make that file unwritable, I would be able to remove the code from all 300 of my themes.

    Then, i could make a few of them writable again and see if it comes back?

    I guess I’m just optimistic that this is the only malicious code…




    FileZilla no good?



    My hosting company, PSEK, was able to remove the code from each theme. So, as of now, my themes are clean, my passwords are changed, and I’ve got a new install of MU.

    I’m still getting memory errors, indicating that the virus is probably still there somewhere. We’ll see.

    Within a few hours, we’ll probably know if this is good enough or if there are continued problems.

    Per @andrea_r, pulled the access logs and found an 2 IP address – mine and one other. Here’s what I found:
    May 9 18:28:52 wpmu pure-ftpd: (?@ [WARNING] Authentication failed for user [housingstorm] – probably failing because i changed my passwords.

    Now, I searched for that IP address and it’s from Brazil. In my google-search, i also found it referenced on several other forums as an attacker and I even found an access log file for another site that showed them gaining access.

    One forum mentioned that there were extra files in their database after the attack.

    My local computer scan was clean, so i’m not sure how they got access, but i would recommend banning this IP address and monitoring your access logs.

    Filezilla is pretty good ftp programme, the client can run sftp, the server can not. I use FileZilla as my client, always have.

    Pure-ftp seems to be installed on many boxes of the semi configured variety, it is claimed to be a secure FTP server I haven’t used it so can’t comment but others around such as Pro-ftp are known to have holes.

    VSFTPD on the other hand is touted as the most secure and endorsed by some very big players such as Redhat, Openbsd, IBM, SANS.

    Configured as sftp along with chrooted directories should give a fairly secure environment.

    I would still view things pretty cautiously as you haven’t really established the method of exploit and definitely change your ftp access to a sftp one to close that possible avenue of attack down.

    Awesome follow-up Greg. :) Hope you manage to block it.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘I’ve got a worm.’ is closed to new replies.
Skip to toolbar