Mysterious “btst” DIV hack on this site…FOUND

This is fun, right?

For a long time, I’ve had a hidden (actually just aligned 4000+ pixels off to the left) DIV at the top of every page of this site that included links to websites I have no interest in. I did not put the DIV there. I did not want the DIV there. For a year or two, I have been wanting to kill that DIV but could not figure out how.

Ah, the joys of shared hosting.

Well, this morning I found the code that was causing the problem and I got rid of it. If you’re in a similar situation and have a similar DIV at the top of every page of your [expletive deleted] WordPress site, the following info may help. Note that my situation may not completely match yours so I can not guarantee this will solve your problem. My site’s DIV was immediately followed by an HTML comment that looked like the following comment, in case it helps match my situation to yours:

<!-- btst -->

The code that was causing this DIV to be added was hidden in a BASE 64 encoded string that was being decoded and “eval’ed” in the wp-config.php file in the root directory of my site. The line looked like this (I’m editing the encoded gibberish because I don’t want to share anything useful beyond the appearance of the text):

eval(base64_decode("Slajsdfa9879asf99fda987f87a9d/sfafafblahblahblahlasLKkjhk8978979moreblahblahblahJjHHE=="));

The line was immediately after the ob_start() command. I deleted it with extreme prejudice.

Voila, no more DIV at the top each page.

I’ll note here that the wp-config.php file was set to mode 644 so only I, the owner, had write permission on the file. This tells me that something within WordPress may have added the nefarious code. I guess I’ll know in a few days because the lines will return to wp-config.php. If so, screw it, I’ll do what I’ve been threatening for years and dump WordPress for good.

This entry was posted in WordPress.

Comments are closed.