Quantcast
Channel: Topic Tag: malware | WordPress.org
Viewing all articles
Browse latest Browse all 1906

Fedner on "Code check (looking for backdoors)"

$
0
0

Hi everybody.
My wordpress website has been recently hacked: links to the xxxindianxxx website were injected in several files. Unfortunately I don't have a backup to restore (I know, I have been stupid!).
I cleaned up that links and now seems to be ok. But, besides undesired links, I was looking for backdoors to be sure I am safe. After I've read this article http://ottopress.com/2009/hacked-wordpress-backdoors/
I performed some searches and I'd like to ask you whether this code is legitimate or not.

Looking for base64_decode():

/Users/admin/Sites/AikidoVV/wordpress/wp-content/plugins/jetpack/jetpack.php:
 3308  		}
 3309
 3310: 		$data = json_decode( base64_decode( stripslashes( $_GET['data'] ) ) );
 3311  		$data_filters = array(
 3312  			'state'        => 'opaque',

/Users/admin/Sites/AikidoVV/wordpress/wp-includes/class-feed.php:
  115  		}
  116  		if ( $type & SIMPLEPIE_CONSTRUCT_BASE64 ) {
  117: 			$data = base64_decode( $data );
  118  		}
  119  		if ( $type & ( SIMPLEPIE_CONSTRUCT_HTML | SIMPLEPIE_CONSTRUCT_XHTML ) ) {

/Users/admin/Sites/AikidoVV/wordpress/wp-includes/class-IXR.php:
  301                  break;
  302              case 'base64':
  303:                 $value = base64_decode($this->_currentTagContents);
  304                  $valueFlag = true;
  305                  break;

/Users/admin/Sites/AikidoVV/wordpress/wp-includes/class-wp-atom-server.php:
 1344  		if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
 1345  			list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) =
 1346: 				explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
 1347  		} else if (isset($_SERVER['REDIRECT_REMOTE_USER'])) {
 1348  			// Workaround for setups that do not forward HTTP_AUTHORIZATION
 1349  			// See http://trac.wordpress.org/ticket/7361
 1350  			list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) =
 1351: 				explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
 1352  		}
 1353  

/Users/admin/Sites/AikidoVV/wordpress/wp-includes/SimplePie/Sanitize.php:
  242  			if ($type & SIMPLEPIE_CONSTRUCT_BASE64)
  243  			{
  244: 				$data = base64_decode($data);
  245  			}

Looking for strrev():

/Users/admin/Sites/AikidoVV/wordpress/wp-admin/includes/post.php:
 1017  		$uri = get_page_uri($post);
 1018  		$uri = untrailingslashit($uri);
 1019: 		$uri = strrev( stristr( strrev( $uri ), '/' ) );
 1020  		$uri = untrailingslashit($uri);
 1021  		$uri = apply_filters( 'editable_slug', $uri );

/Users/admin/Sites/AikidoVV/wordpress/wp-includes/SimplePie/gzdecode.php:
  227  			if (current(unpack('S', "\x00\x01")) === 1)
  228  			{
  229: 				$mtime = strrev($mtime);
  230  			}
  231  			$this->MTIME = current(unpack('l', $mtime));

Thank you in advance.


Viewing all articles
Browse latest Browse all 1906

Trending Articles