I have the same problem. Additional also our frontend-users are sporadically redirected to the russian URL named above which is fatal.
Our server was attacked this afternoon by several foreign computers (checked logfile). All of them tried to upload files named sm3.php in the theme-directory of our active theme. Possibly malware was injected through thumb.php used by our theme for image-resizing.
I tried the whole afternoon/evening to find a solution to completely clean our site but I still had no luck. There might be several preg_replace code spread out in several files on our server where it should not be. Another strange encrypted file found here was wp.php.
Any ideas?
James
(@james13wheelergmailcom)
I have the same problem, but no idea how to resolve.
@getinked5 I’m wondering why deleting the site and restoring didn’t resolve the issue?
Im guessing its in the datadase which is the only I haven’t had time to clean out yet.
Ill have to try reloading our theme again too
I’ve had the same thing this evening.
My super helpful host (TSO) found things that shouldn’t have been in .htaccess and removed them. This seems to have solved the problem (hopefully) so might be worth you checking there for anything unusual.
Yeah my htaccess was clean
If one of you wants some help getting this cleaned up, I’d be happy to have a look, and then give some instructions for everybody else having the issue. You can get in touch with me through the contact form at my site.
Just managed to clean up my partners site (well I think I have) following some of the pointers in this thread:
1) .htaccess had been appended to with “Error 404” directives. Removed those only.
2) Removed sm3.php and wp.php completely.
3) Updated thumb.php to the latest version from http://timthumb.googlecode.com/svn/trunk/timthumb.php which has hopefully closed any holes.
This seems to have solved the issue and I’m not seeing any redirects to the .ru site anymore.
Note: I have not scanned the DB yet.
Thanks for the summary @psynix – I’ve now also updated timthumb.php.
It would be really helpful if you could post how you scan the database?
Many thanks
i’m on vacation right now or i’d be spending more time on this. i updated my thumb page also but my seems to be only SQL injected. only when i go to my search plugin page am i seeing any errors. i’ll be digging into the database more tomorrow.
great site @peter builder. i’ll hit you up later for some different reasons related to security.
The problem I’m ran into is that the .htaccess files were modified. NOTE: they do not LOOK modified at first, but you should notice scroll bars which normally are not be there. That indicates that there is a lot more text in your file than you are currently seeing.
In case your hosting provider doesn’t help. Try this solution:
First CHMOD your .htaccess file from 444 to 644. (It appears that the files were turned 444 after the edit that caused the problem.)
Access (edit) your .htaccess file. MAKE A COPY! Then, clear it out. Add in something like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
AddType x-mapp-php5 .php
# protect wpconfig.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>
# disable directory browsing
Options All -Indexes
#Protect .htaccess itself
<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>
# END WordPress
You can try checking this site http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-security-1676 or others if you want to see additional tips on how to secure your .htaccess file.
Once you have saved your .htaccess file, save it.
This should now have fixed the problem above.
-Kimberly
http://www.silverwebdesigns.net
Hey Kimberly,
I fixed the permissions and editted the .htaccess file like your mentioned, thinking that would fix it. It seemed fine for an hour or two and then I saw the malicious code in there again (and the permission was again changed to 444).
So I fixed it again, but this time I also updated the thumb.php in my theme files. I am hoping this fixes it for the long run.
Did your .htaccess file get modified after you fixed it?
thanks!
april
Tried visiting your website lately Kimberly? Redirects to the .ru site at the moment.
Psynix,
I can’t seem to locate these two files you mentioned:
“2) Removed sm3.php and wp.php completely.”
Where would these be?
thanks!
april