It definitely sounds like you were hacked.
Manually editing the infected php scripts several times on my site resulted in them being re-infected within 30 minutes.
I recommend taking full database backups, as well as taking screen shots and making lists of your plugins etc.
Try exporting the posts/pages etc as well – you might need multiple forms of backup to restore.
Be sure to disable all users as well, except Admin, so nobody else can log in.
When you have saved everything, take your site(s) offline, clean up the database (there are posts on how to do this – sorry I don’t have them handy), and try a fresh install from scratch.
Change your passwords too!!!
Good Luck.
@poddys what I found is, those codes are in the default installation files of WordPress 3.4.2.
Just download WordPress and check in those files, you will find eval and base64_decode codes..
Just download WordPress and check in those files, you will find eval and base64_decode codes..
@shekhar,
Did you confirm that the codes are harmful? Sorry, I have not gone through version 3.4.2 and hence cannot give you any opinion on it.
BTW, can you tell us the file/ folder where you found the codes which you found as harmful?
@krishna it is already been proved that eval and base64_decode are in use to hack WordPress. May be you don’t know that…
Besides, Check the files and folders on the screenshot link on my first post.
&
If you like, install Exploit scanner plugin to confirm.
Thnx
had similar issue after updating WordPress 3 days ago have found all index.php files infected with base64_decode, even the two themes supplied with WP where affected. Have had to delete each index.php file in the wordpress core plus all themes. Sites hosted on mediatemple, Also noticed each infected site had a file in the root with list of IP address. file name: 9fec9686a688eb028f2ca1506bc4b9ac
Would welcome any ideas what this exploit is and how best to deal with it.
So far have replaced all instances of index.php plus deleting the above file from the root dir.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad