Forums

WordPress › Support » How-To and Troubleshooting

Updated to 2.9.1 can no longer modify posts - site hacked (3 posts)

  1. tsutryk
    Member
    Posted 2 years ago #

    My client's site (www.hyperlearn.com) got hacked last week and somehow the hacker(s) managed to insert one line of malicious code on just about every php file on the wordpress site. This code caused viruses to be downloaded and when clicking any link on the site, it took the user to another malicious site. I managed to remove the offensive code from all the files, backed up my database and then upgraded to 2.9.1 version.

    The site looks fine and there is no longer any problems with the links. I also modified my CHMOD settings to 755 in hopes this would help in the event of a future attack. Now, I can not create/modify posts through admin. I try to make a small change, click the preview button and my changes do not appear, when i try to return to the admin program, it locks up. I'm noticing in the bottom of the screen that it is showing "transferring from news.hermison.com". This tells me that there might still be some offensive code out there, but I can not find it.

    If anyone could help me, I would be incredibly appreciative.

    Thanks!

  2. Shane G.
    Member
    Posted 2 years ago #

    Hi,

    Refer this article:

    http://codex.wordpress.org/FAQ_My_site_was_hacked

    Thanks,

    Shane G.

  3. tsutryk
    Member
    Posted 2 years ago #

    Hi Shane,

    Thanks for the response and yes I have read through everything I could find on the topic. I have narrowed my problem down to one issue. I've managed to remove the base64 offensive code from all the php files and upgraded to the latest WP version. On posts only, a different line of code is inserted into the footer of each post. I can't seem to find where this code originates from. It is only on posts and not on pages. I've looked in all the footer.php files. It's using eval(unescape function in a javascript that when decoded writes out to an iframe to another site that is known for viruses.

    Any advise on where this offensive code may be hiding is greatly appreciated.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags