URGENT: I think I have been hacked

< ?php
// Silence is golden.
? >

Has the wordpress download been hacked?

That’s in every wordpress install. It was put in there by the authors. (Just like at the bottom of the stylesheet in the default theme, you’ll see the lyrics for “Daisy”) Means nothing.

However, the iframe thing – I had the same thing happen to me when I used Movable Type. I found that the iframe was at the bottom of every single post I had, so I had to go through my archives (3 years of them!) to remove the offending code. Turned out I had a wrong permission setting, and they wormed in that way. (Not to mention, at the time, I was using IE as my main browser, and my computer was ridden with spyware and hijacked browser windows – this was prior to educating myself on the defenses.)

WordPress is lucky in the fact that your posts are not in your directories, they reside in your database, so no code can be placed in the actual posts themselves. However, if your permission settings are wrong (or were at one time, giving someone access), then your template files probably have them in the code.

If your permission settings *are* good (i.e. all directories at 755, all files at 644) and you were still hacked, you most certainly need to contact your host, because there’s something going on with the server.

But to resolve the situation, I would recommend 1) backup your database so you don’t lose any posts; 2) uninstall and wipe out your current WordPress installation; 3) get the new install (it’s up to 2.0.7 now, as of yesterday) and redo your installation.

I would also get Spybot and Ad-Aware and run it on your computer to remove any spyware you may have – and run it with your computer in safe mode to be sure you get it all. And while you’re in safe mode, change all of your passwords, as well. Then get back in your hosting area and change *those* passwords too – FTP, login, the works.

Hello,

I made a plugin which restricts IP addresses to login to the admin panel, meaning you can ban different ip addresses from the admin panel.

It is available from here

This might help a bit if the hackers use the admin panel.

I now have people telling me they are getting virus warnings. I have no idea what is going on.

It’s the iframes. You can’t see them because they are 1px by 1px in size. An Iframe calls in an external webpage. The script that has placed the iframe on your pages is linking to a site that feeds out virus installations.

Unfortunately, anyone using IE to view your blog most likely *has* been compromised, because most people shut off the warnings that IE feeds you. The only way they would know is if they happen to glance into the bottom left of the browser window, and saw the text in the status bar that said “downloading from xxx site”. It’s meant to do that – download this crap without anyone ever knowing it’s happened.

So yes, you’ll need to take your site down ASAP so you can remove the malicious code. Put up a holder page that says “get your computer checked immeditately” and proved links to Ad-Aware, Hijack This!, SpyBot, and CW Shredder. Tell people to run virus scans (and be sure they have the latest updates) and do all of this in Safe Mode.

The crap happens, and it sucks. But if you catch it and do something about it ASAP, then the damage control is a lot less than if you let it just stay there and do it’s thing. But the longer you leave it up there, the more people will become compromised.

You don’t read the replies, just post?
Above your last post doodlebee gave you detailed instructions what to do.
Read it.
Do it.
The problem is with YOUR SITE, not WP.

Yes, 2.0.6 had a security issue, and 2.0.7 is out to fix it.
http://wordpress.org/development/
Maybe the hackers used that vulnerability, maybe not. Have no idea.
My point was: fix the thing first – make sure it works… and then there is plenty of time discussing it.

Why the heck do they do this? They cannot gain anything out of it.

Actually, that’s not entirely true. In fact, it’s quite possible that *you* got this by going to someone else’s website. They do this because they can load up trojans on someone else’s computer – trojans that can open up a back door into someone’s computer where they can gain access to things (at worst) like your bank account logins, passwords, credit cards, all those goodies. There are different ways of gaining access to do this to someone’s site, but the reasons are all the same – money, and trying to get it “easily” by exploiting and stealing.

If it makes you feel any better, most people who are faithful to someone’s blog will understand, and they’ll be thankful you told them (instead of not saying anything) so they can get themselves fixed, if need be. I know when it happened to me, my reader base was 100% grateful I let them know, and told them how to fix it.