Hi guys, my wordpress seems to have been compromised, now whenever you go on any page two urls are loaded in the background aventurapark.com.ec/anuncios/direccion.php and npnonline.in They don't actually appear to be doing any damage and none of my users anti-virus software is picking it up, so I wanna get rid of it quick before google or something slaps me with a "this is an attack site" warning. I can't seem to pin point the javascript or code or whatever, and only seem to have found a few instances in the source of pages, but this loads on every PHP page! The initial virus was cleaned off the server by my host, but the results are still within the pages. I need some kind of mass search script I can install on my sever to search for instances of the above urls and remove them. There's no way I can thought each one.
We just had a pair of threads on this a few days back although I don't recall the posters ever got back to us. Chances are you;re running a "free premium theme" from somewhere where the theme's footer.php file is encrypted with a loader. if so, you probably should unencrypt the file and get the code out of there or install a new theme without any encryption. A link to your site would be a plus so we can double check.
Learn Linux. Then you can just do things like: grep -lR "aventurapark.com.ec" /path/to/wordpress | xargs sed -i 's/string containing hacked things//g' That would find all files containing "aventurapark.com.ec" and replace the string "string containing hacked things" with nothing. Very fast and efficient.
And won't work. If the theme file is calling an offsite script, that url is being provided offsite and not in any local file. edit: And since the file in question in encoded with javascript, the string won't be found either.
That's just a technicality to adjust to that. The main point is that if you want to make a nice $$$ on your own quickly and efficiently, you absolutely must know Linux. I think I'll write a book about my success later.
Use this: http://wordpress.org/extend/plugins/tac/ TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.
Oh btw, see my 2 cent guide to securing wordpress: http://forums.digitalpoint.com/showthread.php?t=1563995
Thanks guys - I had a chat with the host and they eventually got rid of it. I think they got through some old image gallery pluguin.
I've found that old unpatched versions of anything that utilizes Tinymce is affected to. Not sure if it applies to you, but just adding information to the thread. Glad you got this squared away