• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.1 WP Exploit and XF

Big Dan

Active member
#1
Hi Guys,

A client of mine has a problem. Their WP install was exploited which added base64 code to every PHP file in their home directory. (Grr!) I've deleted all the PHP files from the XF install but kept /library/config.php and manually removed the code from that file.

I downloaded a fresh full zip from the customer's area (under her account) and reuploaded everything. The installer keeps kicking in despite a config.php being present. I copied /internal_data/install-lock.php from my site to hers and yet the installer kicks in still.

How do I stop the installer from kicking in? The data is already present in the DB.

Thanks,
Dan
 

Jake Bunce

XenForo moderator
Staff member
#2
I copied /internal_data/install-lock.php from my site to hers and yet the installer kicks in still.
That should fix it. The installer won't run if that file exists. It should direct you to upgrade instead. Make doubly sure that file exists. Also check the file folder permissions. data and internal_data should be writable (777 or 755 on some servers).
 

mrGTB

Well-known member
#4
Hi Guys,

A client of mine has a problem. Their WP install was exploited which added base64 code to every PHP file in their home directory. (Grr!) I've deleted all the PHP files from the XF install but kept /library/config.php and manually removed the code from that file.

I downloaded a fresh full zip from the customer's area (under her account) and reuploaded everything. The installer keeps kicking in despite a config.php being present. I copied /internal_data/install-lock.php from my site to hers and yet the installer kicks in still.

How do I stop the installer from kicking in? The data is already present in the DB.

Thanks,
Dan
Be careful of certain FREE themes used with WordPress also, while not being malicious code added to do any harm. Many themes offered do use Base64 code to display 4-5 "spam links" in the footer area. There's one pretty good WordPress Theme site doing it with all their themes offered. I ran the code through a Base64 Encrypt/Decrypt site to read what it said used in about 4-6 of it's theme files. It was used to stop you removing/editing the links from footer, if you do the theme stops working.

My advice, if you download a WP Theme to use from another site, other than WP itself. Open all it's theme files in an editing program and do a mass search for "base64" first.
 

3rd AnGle

Well-known member
#5
That should fix it. The installer won't run if that file exists. It should direct you to upgrade instead. Make doubly sure that file exists. Also check the file folder permissions. data and internal_data should be writable (777 or 755 on some servers).
Where exactly can i find this /internal_data/install-lock.php ??

I faced a similar issue when i installed a new wordpress... Can anyone provide me a file of install-lock.php ?
 

Big Dan

Active member
#7
That should fix it. The installer won't run if that file exists. It should direct you to upgrade instead. Make doubly sure that file exists. Also check the file folder permissions. data and internal_data should be writable (777 or 755 on some servers).
Thanks Jake! It turned out to be a permissions issue.

And note that avatars and attachments are stored in data and internal_data. They will be lost unless you saved those folders.
I did leave those intact. Just looked for PHP files in the subfolders. Luckily the forum is new so if I had to reinstall XF it would've of been that much of an issue but I always try and preserve existing data for clients.

Be careful of certain FREE themes used with WordPress also, while not being malicious code added to do any harm. Many themes offered do use Base64 code to display 4-5 "spam links" in the footer area. There's one pretty good WordPress Theme site doing it with all their themes offered. I ran the code through a Base64 Encrypt/Decrypt site to read what it said used in about 4-6 of it's theme files. It was used to stop you removing/editing the links from footer, if you do the theme stops working.

My advice, if you download a WP Theme to use from another site, other than WP itself. Open all it's theme files in an editing program and do a mass search for "base64" first.
The client only uses themes from WP.org, I told her about the spam links quite a while ago. :)


--
This was a particularly nasty infection. Here's some details: http://sucuri.net/new-malware-eval-getmama-encoded-javascript.html It added the base64 code to every php in user's the home directory then chmod'ed them to 444. My first two uploads of fresh WP file had no effect until I realized the file perms.