Support » Fixing WordPress » Hacked two times: all index, header, footer.php were added some malware code

  • A few sites at the same ip on a Bluehost host, infected by some malware:

    The first time, files were infected on 2012-1-16, 3:06
    (on the last version before 3.3.1 zh_CN, then, upgraded to 3.3.1)

    The second time, infected on 2012-1-27, 13:47

    All the php files which included in ‘index’, ‘header’, ‘footer’ are added the code in the last:

    <? php @ error_reporting (0); if (! isset ($ eva1fYlbakBcVSir)) {$ eva1fYlbakBcVSir =
    … ?> (8721 characters)

    Anyone known what it is and how to protect against the attack?
    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Same here. I have permissions at 755 and they go back to 777 too :O ?

    Re-upload all your core WordPress files to overwrite any bad/hacked files.
    Remove any plugins or themes that you can possibly afford to get rid of and make sure that any that you hang on to are upgraded to the latest versions. Make sure your WordPress is up to date with the latest version as well.

    Read: http://codex.wordpress.org/Hardening_WordPress

    This site has a good description as to what is going on. There is a link to a step-by-step removal guide at the end.

    http://www.malfarmed.com/blog/the-new-nasty-that-plagues-wordpress/

    My whole server was infected with this crap, and I used this guide to help me out.

    Check your plugins directory for ToolsPack and zsfeeuvxpnu

    Those seem to be the culprit. Replace your core files, clean your wp-content files, change your credentials and backup backup backup!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacked two times: all index, header, footer.php were added some malware code’ is closed to new replies.