Huge Problem!! Please Help!!

Hello,

I guess I am in real trouble. I was just viewing my blog's Google Analytics report and I found a really bizzare url from my themes folder which actually does not physically exist... its something like
/wp_content/themes/classic/bankofamerica.com/....

I really dont know where it came from. And I again checked my analytics account 2 minutes ago and there is another similar link...
/wp-content/themes/classic/www.wellsfargo.com.www .wellsfargo. com
Does anyone know what the problem is about??
I have set my folder permissions to 644, but even then, this is happening.
Where could the fault lie...??
Here is the screen shot...

 

as you can see your site was hacked. now it host a scam for bank of america. remove it and take a look at the logs.

 

how am i supposed to do that!!??

 

I think someone was trying to hack you. Check the IP address to block them.

 

Checking IP and blocking!!?? How is that...
God!!! Wats happening...

 

The files may be hidden, make sure you enable 'show hidden files' in your ftp and then you should be able to delete them.

Edit: As for ip blocking, if the visits to those urls were direct then just ban the ip addresses of those visitors. If it wasn't direct, then it may not actually be the people who did the hack as they could've simply followed a link.

 

I would also contact your host as well. They can log into the root account to be sure everything is clear. I am sure that they wont want the problem either.

 

Thanks guys... I did contact the host. But they said that even they were not able to view any such file. I also enabled the "show hidden files" option, but nothing is seen as such...


I just checked for the IP addresses in my cPanel and I am not sure whether or not to ban the IP

I didnt understand this "Referer" thing... now, should I ban the IP address given as 'Host' ??
Also, there are a range of IP addresses from 64.12.116.14 to 64.12.117.108 which are displayed in the same way as above.
Should I ban this entire range??

 

this is code injection, you placed correct permissions for the folder but not the theme files
your theme files has been edited to show such links, I would go over them to see which has such links and remove them, then re build your sitemap.

 

Hi, Can you be a bit more clear about this ? I mean, this link starts from my main theme folder and not from any of its sub folder. And my main theme folder consists of no files. It just has sub folders and they are set to 755.

So where exactly should I go and search for these links?

 

all the theme files, go to the theme editor in wp control panel, and insoect each file in there. they are not many.

 

Done that... but no such links found in any of the theme files...

 

Check your page source to see if the bad links are still there (in firefox you can right click and hit 'view page source'.) If they are you and you haven't made any mods to your theme then you can simply delete it and then upload a fresh copy of it (if you have made mods, then you can still do this and redo the mods if you want.) See if that fixes it...

 

Thankfully, the problem is solved for now as these links are not showing up anymore in my traffic report. But I wish it wont pop again in future.
Thanks a lot you guys

 

You might also want to install this plugin http://wordpress.org/extend/plugins/wp-security-scan/

It helps locate some simple holes you may have.

 

Thank you craiger
I did install the plugin.
Things are going good now