Was I Hacked?

[kyaizen]

OK, so I tried to log on to the backend of my Wordpress site and this error came out -

Fatal error:  Cannot redeclare pb_backupbuddy_ui::start_metabox() in /home/viperbla/public_html/xxxxxxxxxxxxx.com/wp-content/plugins/backupbuddy/pluginbuddy/classes/ui.php on line 460

I looked at the ui.php file and found that there's a line of code which wasn't there previously (I did a backup) -

What is this nonsense - Pastebin.com

Did I get hacked? What gives?

 

[SeanW]

That $zend_framework is "create_function". The data after it is the function that gets created, which decodes to a base64_decode and a base64 string. That is then some further obfuscated stuff which evals more code.

Basically junk you don't want on your site.

Can you also run your site through Is it Hacked? and see if it comes back with anything?

 

[caffeinate_me]

google base64 wordpress hack. looks like what hit you. i'd do a sec audit delete the WP install import your unaffected backup, change all passwords, maybe contact host to see about logs.

 

[BlogHue]

As Sean said, yes you got hacked.

Restore a backup which is NOT infected. Update your Wordpress installation. If you're using a script that occassionally runs backups - DONOT keep a lot of them on your server. Occassionally move them to something like dropbox or box.net or another off location secure file server.

Here is the first level of decode for the code that you posted above..

 First Level of Uncoding - Pastebin.com[/url]

 

[kyaizen]

Thanks, guys.

This server has been hacked a lot of times for the past year. I'm not sure if it's because of my wordpress scripts or the server itself. Is there a way to check? If it's the latter, I could just move to a new host after the cleanup.

 

[imarketerz]

If you think you it has been HACKED then report to Wicked Fire .... they will analyze and see that it never happens again...! Dont allow Hackers or spammers inside WICKED FIRE