We had the same thing. A wipeout of the current files, a fresh install of the lastest version of WP did the trick. Make sure that if you use timthumb image resizer that you upgrade to the latest version.
Also, I have not tried the following, but perhaps this may help, I just fortuitously chanced upon it right now.
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
my site is being hacked very often by eval base64 script, toolspack plugin was automatically installed. I’ve cleaned all files and removed toolspack plugin, also updated WP (plugins + theme) to latest version. Please let me know the root cause of this its been 3rd time my site is being infected.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
@merlynferns, have reviewed the links in this post?
Also you have better luck starting your own thread instead of jumping on this one.
@jan, yes i’ve reviewed the links and cleaned all the files, changed admin password but not 100% sure if my site will be save as it keeps on getting infected every week. I’ve below listed plugins installed and updated
awsom-news-announcement
event-calendar-3-for-php-53
improved-include-page
nextgen-gallery
wp-simple-paypal-donation
do you think any of them above may cause the hacker to inject code into my site?
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
as it keeps on getting infected every week.
Either you haven’t succeeded in really delousing your WordPress installation or you haven’t found and closed the door that the attackers keep walking in through.
Give the Smackdown link another read and also do these steps too.
http://codex.wordpress.org/Hardening_WordPress
That will prevent auto updates from working if you do it right, but for now that should be fine as you have bigger problems.
Make sure you are up to date and replaced all of your code from the source.
I’m also getting hammered with this eval base64 hack. Over the weekend been trying various things to try to keep them out.
I deleted all the FTP accounts through my cpanel except one (that I use for my webcam). I’ve installed the Bullet Proof Security plugin, that helps me change permissions on various files to secure values, like the config file to 400. I’ve also installed Exploit Scanner, which identifies the hack, but sometimes it fails to run and I’m not sure why.
The WordPress Security page says to change permissions, but I need it black and white. What files, what numbers. Telling me to give read/write/execute is vague.. I want the numbers please, and the files to secure. So far I have changed the index.php files to 444, which seems to keep them out. Changing permissions too tight makes the blogs uneditable and we can’t have that either. Bullet Proof Security plugin also creates secure .htaccess files.
Been a couple days on a couple blogs and so far they haven’t gotten hacked again using these measures. I’m keeping a close eye. Is this a recent hack problem? It has only hit me within the last month or so. Before that, never had a problem with my wordpress blogs getting hacked.
