How to eliminate a nasty infection from Atahualpa?

markzip · #1 Jun 13, 2015, 09:21 PM

http://mayapplepress.com/
WP 4.2.2
Atahualpa 3.7.7

There is a persistent nasty on all pages and posts on the site:
It happens just after the end of the </head> tag and it looks like this:

Code:

...</head>
<body class="single single-post postid-3408 single-format-standard">
<div id="wrapper">
<div style="position:absolute; top:-850px;" id="dovanta"> <a href="http://mayapplepress.com/status/doxycycline.php" title="buy doxycycline online">Buy doxycycline online</a> always better to consult</div>
<div id="container">
<table id.....

Note that the example above is for context and this contains a specific postid. This number changes depending on the page or post, of course.

So the problematic code looks like this:

Code:

<div style="position:absolute; top:-850px;" id="dovanta"> <a href="http://mayapplepress.com/status/doxycycline.php" title="buy doxycycline online">Buy doxycycline online</a> always better to consult</div>

This code survives shutting off all plugins. It does not survive switching to the default WP 2015 theme.

Thus, it must be part of the Athualpa theme, no?

Thoughts?

TIA

juggledad · #2 Jun 14, 2015, 06:43 AM

Are you actually on version 3.7.7??? the current version of Atahualpa is 3.7.27
Version 3.7.7 was released back in 2012!
I would say you need to do an upgrade - Do a backup of your site first.

I know of no infections caused via the theme (not that I'm saying it is impossible) I'm actually amazed that Atahualpa 3.7.7 is running on WP 4.2.2

You could have gotten hacked in any number of ways and it could even be in the WP code at this point. You need to start going thru the steps to fix your hacked site.

markzip · #3 Jun 14, 2015, 06:19 PM

While I know that I should do an update of Atahualpa, the install is somewhat modified and I would rather avoid a manual update. But I will do it.

I assume that the infection is not in WP or any plugins, as it does not survive turning off Atahualpa and all plugins.

juggledad · #4 Jun 14, 2015, 08:03 PM

You may just not be seeing it - ie it may be hidden and will show art some time.

As it is, go thru each of the Atahualpa option pages and hit the green save button to clear up some of the warning messages you are now seeing. They are from new options that need to be initialized.

cefiar · #5 Jun 14, 2015, 08:47 PM

What you may have is an infection that scans through a sites PHP and replaces certain functions with it's own. This means you've been hacked in some way (eg: a wordpress vulnerability, password exposure, brute force password hacks, etc). They tend to do this in a single "once off" pass when they first penetrate your site.

A lot of these either happen to target basic code that is used in a lot of WP themes, or they infect WP themes by inserting code near the start of the main function file for each theme. They may only target the running theme, or they might target all installed themes.

As for why you don't see it in the 2015 theme: If most of the code has been inserted into all themes at the time of the intrusion (eg: Atahualpa), and then you upgraded the built in theme 2015, this hack/change may have been wiped.

As for why you should not trust simply changing the theme to fix it: If extra code has been left on the system elsewhere that checks if you've attempted to clean the infection (but not fully removed it), then you can get re-infected. This could be as simple as a hidden extra PHP script called by remote (once they've noticed) or via a WP Cron job that fires on some longer time scale, or it could be something that is stored in the DB and triggered by other means (eg: SQL injection).

Once you have any sort of foreign code running on your site, you really need to consider everything on the site as potentially hazardous. If I was you, I would extract just the content of the site (and inspect the recovered content before restoring it), and redo the rest from scratch. This includes reviewing users and any method of access for the site.

Basically: Once a system has been pwned, you really need to redo everything from scratch, check everything at least twice to make sure it's clean, and all passwords should also be changed (never use the old ones again).

(moderator note: and by changing all passwords - wordpress's, mysql, cPanel, your hosting account, ftp, your own computers (could be a key logger on your computer) and anyone eleses computer with admin access to any of those areas)

markzip · #6 Jun 15, 2015, 12:55 PM

Welp. I've had a good clean and scrub and AFAIK I'm now disinfected.

The only real hassle was the installation forgetting the placement of widgets in the sidebars and the content of text widgets. I was a little surprised that the backups did not appear to contain that stuff. I didn't spend much time pursuing it and just chose to reconstruct from scratch.

Took me a little while to figure out the new Ata images regime, but it'll be better in the long-run.

It would be great to know how they got in, as I'm pretty careful about staying up to date (with the exception of theme updates, apparently). I don't suppose I'll ever know.

Thanks as always for the help and advice.

Zip