Support » Fixing WordPress » how did added code get here?

  • Resolved Jimmyt53


    I have been suffering the dreaded ‘Warning: Cannot modify header information …’ problem and tracked it to index.php. When I opened it, I found all this apparently meaningless code at the top (see below)e. Cut that out and the problem was solved. I then used a base-64 decoder to translate the ‘alien’ code and the result is posted at the bottom. My question is, how did the code get there, was it just one of those things, was it All-in-one SEO (likely suspect as I changed it recently) or is there something more sinister afoot? Any thoughts?

    Here’s the corrupted index.php file:

    [Code moderated as per the Forum Rules. Please use the pastebin]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Finally worked out Pastebin.

    Here’s the index.php with the extra coding
    <script src=””></script>

    And here’s the ‘rogue’ code translated

    <script src=””></script>

    Have disabled All-in-one SEO plugin and so far so good. Fingers crossed, that was the issue. If so, all I need now is a reliable SEO.

    It’s Back. And yes it looks like some kind of hack. Norton is stopping an attack by “Blackhole Toolkit”.

    I have had online checks done of the website and it’s coming up clean

    This is very worrying. Guess I’ll have to clean out the website.

    It’s a hack, the long string of characters is base 64 encoding and it’s filtering out bots and showing an iframe to real visitors. Within the iframe from another site is some malicious javascript. Your site is infected.

    It’s trying to filter out a lot of bots actually so some security crawlers might not be seeing the code. Trust me, you’ve got some cleaning up to do but first you need to secure the server/site and lock it down. Take it offline until you are sure it’s clean.

    OK, Thanks On it now

    This is probably not the way to do this but this is what I did.

    I copied the files to my hard drive using Filezilla. Sure enough Norton 360 picked up two Trojans in the Simple Forum avatar files. (I immediately afterwards did a deep virus check with Norton 360 to make sure I hadn’t infected my computer.)

    I also contacted my host (Sureserver) and they got their hacking experts on to it. This is what I should have done as soon as aI noticed the website behaving oddly. Anyway, they found a third Trojan in the same directory.

    They also later discovered that a rogue “base64/eval” code in the phpmyadmin folder was dumping the rogue code in my index.php file. They advised me to kill phpmyadmin as there have been a lot of attacks through those files which are no longer required in any case.


    meanwhile I ran the plugin “Exploit Scanner” which picked up literally hundreds of ‘potentially” dangerous code. I copied the results to Sureserver (Word arranges it into a neat table) and they assured me there was no dangerous code in what the scanner had picked up.

    As of now I’ve been going about 10 hours without a repetition of the attacks (touch wood). I am now backing up and changing passwords. I have also removed the ability for members of my forum to upload their own avatars.

    Oh, and by the way, for the record, it had nothing to do with All-in-one SEO. Sorry about that.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘how did added code get here?’ is closed to new replies.