1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.1 WP Exploit and XF

Discussion in 'Installation, Upgrade, and Import Support' started by Big Dan, Mar 16, 2012.

  1. Big Dan

    Big Dan Active Member

    Hi Guys,

    A client of mine has a problem. Their WP install was exploited which added base64 code to every PHP file in their home directory. (Grr!) I've deleted all the PHP files from the XF install but kept /library/config.php and manually removed the code from that file.

    I downloaded a fresh full zip from the customer's area (under her account) and reuploaded everything. The installer keeps kicking in despite a config.php being present. I copied /internal_data/install-lock.php from my site to hers and yet the installer kicks in still.

    How do I stop the installer from kicking in? The data is already present in the DB.

  2. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    That should fix it. The installer won't run if that file exists. It should direct you to upgrade instead. Make doubly sure that file exists. Also check the file folder permissions. data and internal_data should be writable (777 or 755 on some servers).
    Big Dan likes this.
  3. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    And note that avatars and attachments are stored in data and internal_data. They will be lost unless you saved those folders.
    Big Dan likes this.
  4. mrGTB

    mrGTB Well-Known Member

    Be careful of certain FREE themes used with WordPress also, while not being malicious code added to do any harm. Many themes offered do use Base64 code to display 4-5 "spam links" in the footer area. There's one pretty good WordPress Theme site doing it with all their themes offered. I ran the code through a Base64 Encrypt/Decrypt site to read what it said used in about 4-6 of it's theme files. It was used to stop you removing/editing the links from footer, if you do the theme stops working.

    My advice, if you download a WP Theme to use from another site, other than WP itself. Open all it's theme files in an editing program and do a mass search for "base64" first.
    Spenser and Big Dan like this.
  5. 3rd AnGle

    3rd AnGle Well-Known Member

    Where exactly can i find this /internal_data/install-lock.php ??

    I faced a similar issue when i installed a new wordpress... Can anyone provide me a file of install-lock.php ?
  6. mrGTB

    mrGTB Well-Known Member

    In your XenForo install directory.

  7. Big Dan

    Big Dan Active Member

    Thanks Jake! It turned out to be a permissions issue.

    I did leave those intact. Just looked for PHP files in the subfolders. Luckily the forum is new so if I had to reinstall XF it would've of been that much of an issue but I always try and preserve existing data for clients.

    The client only uses themes from WP.org, I told her about the spam links quite a while ago. :)

    This was a particularly nasty infection. Here's some details: http://sucuri.net/new-malware-eval-getmama-encoded-javascript.html It added the base64 code to every php in user's the home directory then chmod'ed them to 444. My first two uploads of fresh WP file had no effect until I realized the file perms.

Share This Page