Someone can help me and have any idea to fix this?
Sorry, it’s not a hacking thing. Where can I delete this javascript?
If you read the links it will advise you to do an audit on all the files.
Assuming you have Windows pull all the files on the server (everything in www/public or whatever it’s called on your server) down to your computer using a FTP client like Filezilla.
Next open each file individually in Notepad and do a search for the code.
Dreamweaver can do a global search on all the files if you set up a site for them.
Delete any references, then upload the changed files.
Then do an audit on your database. You don’t know where it came from so best be safe.
I can’t find any info about an audit on the links you gave. Where is it?
Just follow the instructions I gave you, it’s another way of checking all your files.
Read through the links, the Codex link is a good place to start but first pull a copy of all your files to the hard drive and back up your database. Then go through every single readable file with a fine tooth comb.
If you come across anything suspicious or odd then shout. The reason for suspecting you’ve been hacked is this code comes up for posters who have hacked sites when I did a quick search in Google.
I’m reading through the files in my dashboard and theme editor, but can’t find something strange. But where I find the Codex link? And what error I can delete? How is it called and how is it looking?
Don’t look through the files on the Dashboard. you need to have a local copy to search through otherwise you’ll probably miss files as the Dashboard doesn’t show every file just the Theme files (even then it misses some). This is why I said download all the files from your web server with the FTP client and review every file such as the Theme, the WordPress files and so on. You may also want to review the .htaccess file to make sure it’s not redirecting anything untoward.
Once you have a copy of your web files on your hard drive do a search for the string: <script type=”text/javascript”>document.write(‘\u003C
You don’t need all of it just the first part, then when you find it you can figure out what it’s doing.
But what you mean with codex link, where can I find it?
In the .htaccess file I see only this:
## USER IP BANNING
<Limit GET POST>
order allow,deny
deny from xx.xx.xx.xx
allow from all
</Limit>
# BEGIN WordPress # END WordPress
On the xx.xx etc. an blocked IP address. Don’t know if this is wrong?
I found something called index.p in these file I saw the javascript. I don’t know where it came from and it is possible that it is on my server. I found 3 files index.p files and also index.p.wpau.bak and I delete them. The error was gone but when I visit my website again it gives the following message:
Forbidden
You don’t have permission to access / on this server.
Apache/2.2.14 (Ubuntu) Server at http://www.erwinsweblog.nl Port 80
So what’s wrong?
index.php are core files, if you pulled the files down from the server upload them back up but strip out the JS (back up the files before changing them).
The site should be back to normal then. If you didn’t back up the files then upload the WordPress files again, but leave wp-config.php alone as that points to your database and settings.
Ok, but there where also 3 files with only index.p without ‘hp’. I delete them and than I had the forbidden page. I try to reinstall WordPress again and it was back to normal with out javascripts messages and also no strange index.p files anymore. The javascript line was also in the normal index.php, I delete it and upload it again and it works and it looks like it’s solved but I wonder why I had this javascript messages and how is it possible that this script ‘index.p’ is on my server?
It does sound like as if you was hacked. I’d go through all the rest of the files to be on the safe said. Also monitor the site for unusual accounts or access as they’ve may have installed a back door.
Look for anything that’s encoded in base64 as well.
What do you mean with encoded in base64 where is that?
I called my hostingprovider. They aware of this hack. I was not the only one. A backup is placing back at the moment. So I do nothing anymore with it, it’s there business to fix it.
