Is there something in your header (external link/image) it can’t find?
Next time you get the error, look at the page source?
Look at the <head> section of a page’s source code and see if it is calling in any scripts or other stuff from servers other than your own.
I am looking into this at the moment as well
This is what is happening on a site that is also being infected by Iframe injections, seemingly at RANDOM.
I cant figure out where its being called in from, I disabled all plugins and it still shows…
It looks like Javascript is loading a site and then removing the iframe from visibility, this is very malicious if I am right. This has happened ton a development site but has not spread to any other live sites. Only one site, and I cant figure out why.
Would love to compare notes. I think my contact info is in my profile.
I´m having the same problem in 7 of my 12 wordpress sites. I have been fighting with malware during last week. All began with Timthumb script hack … my sites were full with invisible links in the header stright to sites selling viagra, etc.
I cleaned some malicious code in the index and replaced de js files with updated and clean ones. It seemed to be resolved, but now I have the same problem you talked about; some sites don´t load and the others have the “the page you are looking for …” in the header.
Any idea about how to solve it??
I figured out the issue. Just solved it.
The problem is a function injected into wp-settings.php
Its causing a huge mess,
the function is called counter_wordpress
It has tons of encrypted data that loads info on your site, I am writing a blog on it, and will post it soon.
DELETE THAT FUNCTION. its near the end of your wp-settings.php
But before you modify the file check the last time it was updated and see if it is the same as other files on your server, otherwise it may be in a different location on yours. The script is dynamic and works in any function, it may be randomized.
Check all your file permissions and see if they have changed.
If anything scan your wordpress directory for wp_head and see if anything looking like the code I am about to post in the blog is there.
Will leave instructions on blog as well.
Ah…. thanks Geilt. I spent half the day working on it and came back hoping someone had a clue.
I’ll take a look, and anxiously await your blog post!
¡¡¡ Great post Geilt!!! Perfectly explained. If it´s useful for you, this is what I found in one of my infected sites (www.example.com):
In the header.php, this line:
http://www.example.com/xmlrpc.php?rsd”
And that takes to:
<?xml version=”1.0″ encoding=”UTF-8″ ?>
– <rsd version=”1.0″ xmlns=”http://archipelago.phrasewise.com/rsd“>
– <service>
<engineName>WordPress</engineName>
<engineLink>http://wordpress.org/</engineLink>
<homePageLink>http://www.example.com</homePageLink>
– <apis>
<api name=”WordPress” blogID=”1″ preferred=”true” apiLink=”http://www.example.com/xmlrpc.php” />
<api name=”Movable Type” blogID=”1″ preferred=”false” apiLink=”http://www.example.com/xmlrpc.php” />
<api name=”MetaWeblog” blogID=”1″ preferred=”false” apiLink=”http://www.example.com/xmlrpc.php” />
<api name=”Blogger” blogID=”1″ preferred=”false” apiLink=”http://www.example.com/xmlrpc.php” />
<api name=”Atom” blogID=”” preferred=”false” apiLink=”http://www.example.com/wp-app.php/service” />
</apis>
</service>
</rsd>
Of course, I dont´t know what http://archipelago.phrasewise.com .. Maybe other infected site???
May I ask what the permission settings are on the files and directories? I need to update my blog post with that part of the explanation tomorrow, with logs I saved
Make sure do do a grep search thru your source for wp_head and examine what’s loading.
Thank you very much! I was wasting a lot of days trying to solve it. I wish I could give you any useful information to your article. This is how it happened to me:
– I had some WP websites that used themes from Elegant Themes with an script called timthumb. This script was hacked and hackers could infect all the sites I had in my server. You can know more about this here ( http://markmaunder.com/2011/08… )
– Some of my sites were blacklisted by Google and the infection still goes on, as you described before. I have found hundred of links hidden, linking to viagra sellers.
– Before I was hacked by timthumb.php hole, my permissions were 777 (great error!!). I think this was the way they used.
Now I´m probing your solution in all my sites. You´ll receive feedback. Thanks!
Update… I just visited my site, and was redirected to a different page.
Google intercepted it and tossed up a Malware alert page.
The page in question is winorislic.345.pl.
So… off I go to clean up the mess. Thanks again for everyone’s help.
Also, for what it’s worth, when I made the deletion in the wp-settings.php file, many of my widgets and plug-ins disappeared from the index page. Everywhere else on the site seems to be ok.
In spite of deleting just a part of wp-settings.php I have deleted it completely, and then I have uploaded the original wp-settings.php of wordpress version (3.2.1), without having problems with widgets …
Good idea. Let me give that a try.
My widgets are gone from the back end also. What a mess!
