Posted 9 months ago #
This appears to me to be a hack on my site. I am not technical enough to know better. The following is showing up in my HTML when I try and validate pages on my site. Can anyone confirm if this is a hack or a feature?
[Code moderated as per the Forum Rules. Please use the pastebin]
Obfuscated code like that is never a good sign, especially if you don't know how or why it's there.
Try running your site through this tool: http://sitecheck.sucuri.net/
The refer to this documentation: http://codex.wordpress.org/FAQ_My_site_was_hacked
Posted 9 months ago #
The odd thing is, I am only getting this issue with the Widescreen Theme. And sitecheck.securi.net scans the site and thinks its a hack.
Posted 9 months ago #
It would make sense that it only appears on one theme. Either that theme has been compromised, or it came with shady code.
Posted 9 months ago #
Yes, it appears the theme I had was comprimised. I removed all themes, reinstalled just the 1 from a fresh download and its clean.
Thanks for the help everyone!
Posted 9 months ago #
Please still read the link from @Jackson regarding hacks. If your theme was compromised, it means hackers got in somehow. You may still have a backdoor on your server which keeps you compromised.
It's best to change all your passwords immediately (hosting, wordpress, database, ftp) and work on cleaning up
Posted 9 months ago #
Thanks! This is going to take a while.
Posted 9 months ago #
Yes, it is a pain for sure! Maybe some more useful info....
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
My Experiences with being hacked:
http://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/
And when you're done:
http://codex.wordpress.org/Hardening_WordPress
Posted 8 months ago #
I'm experiencing the same issue with several blogs. I have a few different sites running wordpress, they are all on the same hosting plan, each domain having a separate directory under the www directory on the server. There is an index.html file in the same www directory which was attacked with the same code listed above. As a result, every domain then suffered from the attack. I cut the code out of the index.html file, but I'm still experiencing a problem. Specifically, my RSS feed won't display. When I run it through the validator, it reads "junk after document element" and then shows the code from above (which I cut out). I looked everywhere else on the server that I could think of, htacess, other index files, plugin folders, themes, but no luck. I've tried isolating things as much as I can. I've also restored most everything. My host migrated me to a new server. I created a new database. New database password, new ftp password, new cpanel password, new user passwords, new secret keys, new wordpress install, fresh theme install. I'm running out of options. Any advice would be most appreciated! Thanks!
Posted 8 months ago #
For me it looks like they got in through some old timthumb.php files that were on themes that were not even active. It is apparently a big vulnerability. Best to upgrade those themes and if they still have the file, I would delete the whole theme just to be sure.
I was lucky to have a backup from the day before they hacked me. I deleted the old database and all, started with a new one and recovered from backup. I only lost 3 days of material and comments, so I consider myself lucky.
Since, I have done a number of additional security changes since. wpmu.org has a good writeup on the vulnerability.
Posted 8 months ago #
Looks like someone wrote a plugin for the timthumb.php vulnerability detection.
Posted 8 months ago #
Strange, my issue doesn't seem to be related to the timthumb.php vulnerability. I don't have that plugin anywhere. I've cleaned out every unused file, theme, directory at this point as well. Not sure what else to be looking for.
Some themes are still using the unsafe version of timthumb.
Posted 8 months ago #
Got some help and was able to identify the issue. The following code was inserted into several index and footer pages:
[Code moderated as per the Forum Rules. Please use the pastebin]
Once the code was stripped out, everything started working again :)
You must log in to post.
