eval disabled, still account hacked

Portal Home > Knowledgebase > Articles Database > eval disabled, still account hacked

Posted by xeonfan, 08-08-2010, 06:18 PM
on one of my server i've disabled many php function like now i found 2 users who seems to be using some wordpress theme which came with built in hack in footer.php and that made their site replace the main page to a kurdish hacker warning etc. no other user was compromised except this strange footer file was common on both cases. this file read as any suggestions how did eval function even worked in php when its disabled globally.
Posted by PCS-Chris, 08-08-2010, 06:38 PM
How are you running PHP on this system? SuPHP, DSO, FastCGI?
Posted by MikeDVB, 08-08-2010, 06:45 PM
You do realize that just because it's a .php file that was modified doesn't mean that PHP itself is what did it? It could very well have been an FTP bot that downloaded+modified+uploaded the files or any number of other exploits.
Posted by xeonfan, 08-09-2010, 03:07 AM
only wordpress are getting affected and some have kurdis hacker warning ? the files i found looks like either came as infected template which are used by customers came with build in encoded hack file.
Posted by madaboutlinux, 08-09-2010, 05:26 AM
Right, there are many Wordpress templates out their which have such encrypted code in their footer.php file which has a link to pharmacy websites mostly. Not sure if such templates are hacked OR the code is put on purpose.
Posted by xeonfan, 08-09-2010, 07:54 AM
another older wordpress hacked. a/c running WordPress 2.9.2 in one of the account where i found another encoded file, when decoded it has strange shell codes, and a gmail based email, possibility is that script notifies that gmail user about his vulnerable/hackable template used at xx website, so he can come and do the damage. Only templates are affected and no DB or other files are touched. getting it checked by some experts now. Last edited by xeonfan; 08-09-2010 at 08:00 AM.