WordPress.org

Support

Support » How-To and Troubleshooting » Has my site been hacked?

Has my site been hacked?

  • Hi,

    I am in the middle of setting up my site and I have noticed that at the end of every page is ‘Shell cr57 GIF89a;’

    I can’t find it in any source code and I have removed all plugins. Is this a hack? what the hell is it?

    Can anyone please help?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Sounds like a shell uploader. Seeing shell and cr57 together is not a good thing. You may need to see generated source to view any hidden code.

    In Firefox:
    > Tools
    > Web Developer
    > View Source
    > View Generated Source

    But that may still not reveal anything. Once it’s up in your install, removing plugins and themes may not remove it. Some cr57 shell uploaders are pretty nasty.

    Thanks mickey

    I have checked generated sourece and it just displays the same as what is rendered in the live browser. I have no idea or heard of this, what should be I looking for and is there a way to fix it?

    One other thing, if I change my theme the characters dissapear. The theme I am using is https://github.com/murtaugh/HTML5-Reset-Wordpress-Theme/issues/25

    It may have been in your theme. I would definitely replace everything and make sure the theme is a fresh download. If it continues, you should let the theme developers aware of your issue, ooops it looks like you already did. (It could also be brought in via another site on your server. Those shell uploaders can be very nasty. I would replace everything first and see how it goes.)

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Has my site been hacked?’ is closed to new replies.
Skip to toolbar