Support » Fixing WordPress » Our WordPress Dashboard is not showing vertical scrollbar; suspicious code found

  • Our WordPress Dashboard suddenly has no vertical scrollbars. Upon checking the source, I found this:

    <!DOCTYPE html>
    <html>
    <head>
      <meta charset="utf-8">
      <style type="text/css">
        html, body, #partner, iframe {
          height: 100%;
          width: 100%;
          margin: 0;
          padding: 0;
          border: 0;
          outline: 0;
          font-size: 100%;
          vertical-align: baseline;
          background: transparent;
        }
    
        body {
          overflow: hidden;
        }
      </style>
      <meta content="NOW" name="expires">
      <meta content="index, follow, all" name="GOOGLEBOT">
      <meta content="index, follow, all" name="robots">
      <!-- Following Meta-Tag fixes scaling-issues on mobile devices -->
      <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport">
      <script type="text/javascript" src="punycode.min.js"></script>
    </head>
    <body>
    <div id="partner"></div>
    <script type="text/javascript">
      document.write(
        '<script type="text/javascript" language="JavaScript"'
        + 'src="//sedoparking.com/frmpark/'
        + punycode.toASCII(window.location.host) + '/'
        + 'dealrucenter'
        + '/park.js">'
        + '<\/script>'
      );
    </script>
    </body>
    </html>

    Anybody knows what could be the cause of this and how to resolve this? Thank you.

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Hello, johnjullies, & welcome.

    Unless you have parked this domain, then it would appear your site has in fact been compromised.

    when fixing a hacked site, there are really 2 objectives. The first is to remove the evidence of the hack, which is what most site owners concentrate on. The 2nd is to make sure the bad guys can’t gain entrance again, which is actually as or more important than the first 1, as all your hard work of fixing the site will be demolished in a matter of seconds if the criminals get in & hack the site again.

    The first thing you should do is notify your hosting provider. They may help you, they may not, but sometimes the hcompromise can be of an entire server rather than a single site, and, if that’s the case, then they need to take action.

    Second, make certain any device you use to log into your site is clean of any malware. You may need to do more than 1 scan using different scanners, since no scanner can catch everything.

    Make certain also that your network is secure. Change the default username/password on your router, do not log into your site using a public hotspot, & use a secure file transfer protocol rather than just plain FTP.

    These precautions are all so that your user credentials don’t fall into the wrong hands.

    Now–please change your hosting control panel password, your WordPress dashboard password, & your database password. Don’t forget to paste that into your wp-config.php file. Also, change your salt keys as per the instructions in wp-config.php to log out all users. Please make the passwords long, containing upper & lowercase letters, numbers, & punctuation.

    Next, take a backup of your website’s files. Be certain to label it such that the label contains both the date you backed it up on, as well as the word “hacked”–we certainly don’t want you accidentally restoring this backup! This can be helpful, though, in terms of perhaps being able to determine how this occurred, though my feeling is that it likely did so because of an outdated site. Probably you should just back up your web root. Depending on your host, it might be called public_html, htdocs, www, or /. If you don’t wish to back up the entire root, then at least back up your uploads folder, as well as others that might contain content that can’t be replaced.

    Please also back up your database as well. The article at
    http://codex.wordpress.org/Backing_Up_Your_Database
    shows you how to do that, in case you need it. The section regarding phpMyadmin is likely the most relevant to your case. It’s going to be necessary to search that database file to see if any evidence of the hack exists there. That can be done by opening the file in a text editor. To start off with, consider searching for the words:

    <script
    <? php;
    base64;
    eval 

    preg_replace
    strrev

    You might also wish at this point to backup your WordPress content. To do that:
    * Log into your WordPress dashboard.
    * Go to ‘Tools > Export’.
    * Choose to export all content.

    WP-CLI can also be used if the script times out & if you have shell access.

    While in your dashboard, go to ‘Users > All Users’ and delete any users there that you don’t recognize, especially administrators. A WordPress account should never contain the username ‘admin’. If yours does, make an administrative account that does not contain the word (don’t forget to use a very strong password), then delete the old admin username account.

    Also be advised that sometimes supposed image files can contain code, so open all your image files, particularly in your uploads folders, to ensure they really are images & don’t contain code. Better yet, if you have the images on your machine, replace files in the uploads folders with them.

    You might also wish to consider installing Wordfence. Check the options to scan files outside of WordPress, for administrative accounts not made by WordPress, & scan uploads as executable. These options can be turned off later, but right now they can be invaluable in terms of finding hacked files.

    If you find nothing, either in your database or in your /uploads folders, then the next step is to delete, then completely reinstall WordPress, as well as any plugins or themes you were using. I also advise creating an entirely new database w/a new user & password. You can then import your content into the newly reinstalled site.

    If your site runs on the Apache webserver, please also let someone knowledgeable look at your .htaccess file so they can make certain no backdoor code exists there.

    Please let us know if you require additional assistance.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.