Can you provide a link to your site please?
You might want to check with your host and see if they can run your site through some sort of scanner and see if it’s been hacked.
Or you may want to download your theme files and see if there are any weird files in there.
It does sounds like something malicious is going on.
Thread Starter
jacey
(@jacey)
http://www/jackcurtin.com/ldo. Host has checked and found nothing evident.
I did find a plugin called nrelate Related Content which I never installed and which I have disabled.
What should I be looking for in theme files? A quick search doesn’t show anything obvious.
In your HTML source code, I can see this:
<!--
top.location="http://pagesinxt.com/?dn=www.wpstats.org&fp=wiiaqB%2BcbViX3VFDWlwapb0JHRJmoC4knolUjmCLJJuP8Pg532JrTxqbrXKJcHQmNF0hNQveKmm%2FpP5zVUyJ3Q%3D%3D&prvtof=D2MpvQRniEupJvyTyVqHF1qIsZy0ZMZm6wFwhBdFsLw%3D&poru=dHIQZK7nyAbHK5dvk7kdUD7%2BM8Nim6Y3xsbaWOM%2Bxm2az%2FGb7PYluKNxUx2abX9b4dHJBwmZerIWOmsQYtAr92Ghl7xA03g9R1DtJf2SzLg%3D&cifr=1&flrdr=yes&nxte=js";
/*
-->
I would look at your header.php and see what’s in there.
Look in the .htaccess file in the root folder.
I just ran your site through the sucuri scanner – http://sitecheck.sucuri.net/results/jackcurtin.com/ldo/
and your site is indeed infected.
Here are some links to help you out:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Once you have cleaned up your site, make sure to change your WordPress and FTP passwords.
Good luck…
One more thing.. If you got this theme from a Google search it might have come with the malicious code in it.
You could try and do a theme switch and see if that solves the issue. Make sure you pick one from the theme repository though.
There’s a lot of nasty folks out there. 🙁
Thread Starter
jacey
(@jacey)
Still a disaster.
Can you tell where to find this source code text you and sucuri uncovered:
[Code moderated. Please do not post hack code blocks in the forums.]
Also, where is the .htaccess file?
As per the instructions in the resources posted above, you have to check right through your site. Your .htaccess file is in your root WordPress folder – assuming you are using (or have used) custom permalinks.
Thread Starter
jacey
(@jacey)
Yeah, I’m a bit slow. Sorry. Found .htaccess and it seems fine. Still do not know which file I am looking for to see html source code.
Chances are that you will not find that exact source markup in your files. what it might be (for example) is a javascript that’s adding the markup. Or a php file that contains obfuscated code. Certainly anything that contains 1evalorbase64` is Not Right(tm).
Thread Starter
jacey
(@jacey)
I find two .htacess files, one in the home directory with zero bytes and a 2020 datedand another in /public_html/ with 369 bytes and today’s date/. Does that tell us anything(and I’ll stop being annoying with questions after this until and unless I can find that troublesome code). Thanks.
The empty one in your root WP folder suggests that you’re not using custom permalinks but that’s about it. The one in your web root doesn’t tell us anything really.
Jacey, did you find out how to fix the problem? The same thing happened to my site and much of the terminology in the “how to fix hacked sites” on WP goes right over my novice head. Any info you can give me about how you fixed it would be greatly appreciated! Or if you can recommend someone good and reasonably priced if that’s what you did.
WPyogi, thanks, but I already have that info. I was asking Jacey if he found any shortcuts.
Jacey- in case this helps you since you seemed to have the same problem- I just deactivated all my plug-ins and my site came back up! I then reactivated them one by one and found the plug-in culprit: “spamcap.”
Thread Starter
jacey
(@jacey)
My apologies to you and everyone reading this thread; I should have reported the problem solved and what the solution was. A friend of mine helping me out found the malicious code in the WordPress Database
Backup plugin. Try disabling or removing that and see if it helps. If not, I guess the best course is to check other plugins. Maybe one of the moderators here will jump in and add more suggestions. Good luck.
