I think my site has been hacked. Please Help ASAP?

You may be correct. See:

http://www.pagelines.com/forum/discussion/18110/error-message-cannot-redeclare-getmama/p1

Also, your error paste somehow messed up your question…Very difficult to respond…

I still show your site with a virus.

[edit] Ok the second time around.

[edit] Not ok. Still has a trojan.

Your infected with the latest nasty WordPress virus. We had the same issue with one of the sites that we administer.

First off, do not get any package from Godaddy, that will not help you at this point.

Use this link to check if you are still infected:
http://sitecheck.sucuri.net/results/majormedialearning.com
Click the Re-scan button on the button of the page to refresh. Keep in mind that the scan only tests the home page and associated links that go from there, it does not take into account the wp-admin area.

Every .js file on your website is infected. You are going to have to go in and delete one line of code from every .js file on the site. There is and easier way if you have SSH access turned on, if not go to your Godaddy control panel and turn it on. Run the following command:

find . -type f -print0 | xargs -0 sed -i ‘/_0xa687/d’

That command will find all files containing the partial string _0xa687 (which is the virus) and it will delete that line of code.

If you just want to check for files that have that string without deleting the line, run this command:

find . -exec grep -l “var _0xa687” {} \;

Then clean up all the php files that have been infected. Run this find command:

find . -exec grep -l “god_mod” {} \;

That fill find all files with “god_mod” string. These files will also need to be cleaned up.

Lastly run this search

find . -exec grep -l “GetMama” {} \;

The above searches for a partial string (GetMama) which was in my index.php file. You will need to delete the entire string, but be careful because it is on the same line as the begining <?php tag. Make sure you leave the <?php take in place.

************************************************************************
Be careful with the commands, they are powerful. A mistype could cause havoc.
************************************************************************

After you clean everything up, consider using something like the BulletProof Security plugin to tighten up security on the site.
http://wordpress.org/extend/plugins/bulletproof-security/

Here is link with more info on the virus: http://sucuri.net/new-malware-eval-getmama-encoded-javascript.html

Hi everyone,
I’m a newbie to the forum but I’ve been using wordpress for a few years. As a matter of fact, my host is GoDaddy and I have 3 wordpress sites on their hosting site.

Unfortunately, I’ve been slammed by this awful wordpress infection too. I tried uploading a plugin that would set the site to maintenance mode, but “settings” have been disabled. Like jkrawitz, Godaddy tried to sell me their site scanner, but I ignored them. Tried to get them to disable the site, but they couldn’t do it; if they disable it, I won’t be able to use it either.

So, I take it that I’m on my own. First, thank you Aeroweb for the wonderful directions! They seem to be very easy. Just a few questions:

1. Do I need to activate SSH on GoDaddy, then come back to my desktop and use the putty download link you indicated?

2. Once the putty window opens up, will I be able to access files from my desktop?

3. Someone told me I might be able to just export my data file from my wordpress site, then run a scan on it on my desktop to see if it’s infected. Then, they said to delete wordpress (after saving my upload file), then do a fresh install of wordpress. After that, they told me to completely delete my theme and do a fresh install of the theme, too. They said this should get rid of the infection. Does that sound logical to you?

Any help anyone can give me would be greatly appreciated!

Rita Lorraine
[sig moderated as per the Forum Rules]