My site is hacked. Code injected. HELP!!! (6 posts)

  1. davecurlee
    Posted 5 years ago #

    Man I need some help y'all.

    My site is http://davecurlee.com Over the last week or so, I've gotten hacked. Originally I found the javascript code gibberish in my footer.php file in my theme. We removed it and changed the permissions to read only.

    Google removed the "this is a malware" message and it was fine for a few days. Next, the google message came back, and the code was found in the header. I removed it, set the permissions to read only on that file. Google rescanned... released the error.... a day later.....

    AGAIN. Now it's being injected in the header at runtime it seems.
    I've checked every file in the theme for anything that could be calling the script for inclusion. NOTHING. I'm totally stumped.

    I've got a screen cap of the code that is included in the header (not physically written in the header.php file though..)


    I'm totally stumped. A friend of mine went to the site and said that Kaspersky AV stated that there was a virus on the site... " Huer:trojan.script.iframer "

    I could use some help here. I'm up against a wall. If you check the site on firefox, you may not get the google error. Chrome will show it though.

    Anyone run into this?

  2. Sorry to hear about your site getting hacked. Could you tell us who your hosting provider is? Have you contacted them yet?

    Try using the codex instructions for removing a hack:


    Also see this article:

  3. davecurlee
    Posted 5 years ago #

    Thanks for your reply. I'm currently hosting with Dreamhost. Not mentioned it to them, but they have a note on my panel stating that google has noted that this is a malware site.

  4. I would defiantly notify them. They are a WordPress recommended host and should be able to help you get it fixed.

  5. razaj
    Posted 5 years ago #

    Is there any further update on how to prevent the so-called "pharma hack" from coming back and injecting viagra and other pharma content in your wordpress powered site?

    I have already read the pearsonified blog and he also says that he has no idea how they got in in the first place and how to prevent it for sure from happening again.

  6. James Huff
    Volunteer Moderator
    Posted 5 years ago #

    First, try some (if not all) of the recommended security measures. Then, make sure that you have set the permissions of all files to 644 and directories to 755.

    Unfortunately, nothing can really help if you're on an insecure shared server. Under the (unfortunately) common setup, the attacker only needs to compromise one account on the server to affect all of them.

Topic Closed

This topic has been closed to new replies.

About this Topic