Hacked two times: all index, header, footer.php were added some malware code (4 posts)

  1. eefadmin
    Posted 4 years ago #

    A few sites at the same ip on a Bluehost host, infected by some malware:

    The first time, files were infected on 2012-1-16, 3:06
    (on the last version before 3.3.1 zh_CN, then, upgraded to 3.3.1)

    The second time, infected on 2012-1-27, 13:47

    All the php files which included in 'index', 'header', 'footer' are added the code in the last:

    <? php @ error_reporting (0); if (! isset ($ eva1fYlbakBcVSir)) {$ eva1fYlbakBcVSir =
    ... ?> (8721 characters)

    Anyone known what it is and how to protect against the attack?

  2. babyboy808
    Posted 4 years ago #

    Same here. I have permissions at 755 and they go back to 777 too :O ?

  3. bh_WP_fan
    Posted 4 years ago #

    Re-upload all your core WordPress files to overwrite any bad/hacked files.
    Remove any plugins or themes that you can possibly afford to get rid of and make sure that any that you hang on to are upgraded to the latest versions. Make sure your WordPress is up to date with the latest version as well.

    Read: http://codex.wordpress.org/Hardening_WordPress

  4. j0hnnyb0y
    Posted 4 years ago #

    This site has a good description as to what is going on. There is a link to a step-by-step removal guide at the end.


    My whole server was infected with this crap, and I used this guide to help me out.

    Check your plugins directory for ToolsPack and zsfeeuvxpnu

    Those seem to be the culprit. Replace your core files, clean your wp-content files, change your credentials and backup backup backup!

Topic Closed

This topic has been closed to new replies.

About this Topic