Support » Fixing WordPress » Site Being Infected with Malware – help me find the source?

  • Hello,

    I run a WordPress site that is currently suffering from a malware infection.

    Sucuri Sitecheck tells me it is a Blackhole exploit. The only browser that the malware seems to display in is IE.

    The problem is a php injection into all the index.php files of my site. Both in the base folder of wordpress and the themes folder. When I delete the php string from both those files and rescan with Sucuri it tells me my site is clean, so those seem to be the only affected files.

    After that the site will be fine for about 12-24hrs, then the files become reinfected.

    I have changed my FTP and WordPress passwords and reset the secret keys.

    I have also seen the links that are commonly provided when it comes to this issue, that tell you to do complete reinstalls of wordpress/all your plugins/etc. At this moment I do not have time for that and am hoping someone can provide me another way of figuring out the source of this issue. Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • It sounds like one of two issues, #1 your web hosting provider might be insecure, I’ve seen index.php hacks a lot over the years, basically hackers will break into your hosting providers and change all index.php files on that shared or dedicated server to there own version.

    However it usually doesn’t re-occur so I don’t think that’s your issue, you stated it might be an injection, which sounds a little bit better.

    First determine a date in which this started to happen then jump into PhpMySQL and start looking through your posts, comments and any plugin tables that are there, looking for php code in the content sections of those tables. Start looking a day or two before the injection started to happen and work your way forward.

    There really isn’t a quick and easy fix to this you have to dig through your database to ensure it hasn’t been compromised. If you suspect a plugin was causing the issue, deactivate them all and then look in your PhPMyAdmin panel for any tables that have been generated by those plugins.

    A lot of times plugin developers will not do a database clean-up when you deactivate there plugin so the tables still remain after you deactivate the plugin.

    Buy yeah sorry I couldn’t be more helpful if its a SQL Injection you’ll have to take the time to dig through your tables and find the problem then secure the leak, but if its a hosting issue you’ll have to find another hosting account.

    Start looking at your database entries first.

    One thing that I’d suggest is search through your site for a file that contains the TimThumb script. Most times this will be a file called either timthumb.php or thumb.php This is one of the most well-known exploits out there, and if any theme or a plugin on your site use this, then you’re almost completely open to re-hacking.

    @michael – Absolutely correct totally forgot to mention the TimThumb hacks.

    Thank you for the help so far. I am not very experienced with this stuff (MySQL databases and coding beyond HTML/CSS, and basic Java) but if I understand what you are saying Neal, you want me to look through the MySql database for my WordPress install and see if there is any suspicious code there?

    You seem to be suggesting that the database is in chronological order, so this code in question would be near the top?

    Two other questions,
    are even the newest versions on TimThumb insecure? (If so what would be suggested as an alternative plugin or script)

    there were two older installs of WordPress on my site that hadent been updated in 3-4 months. could the malware have gotten into the server from there and then propagated to the rest of the folders? I have now deleted those databases and folders and am waiting to see if the malware is coming back.

    Thanks again.

    Moderator Mark Ratledge


    Forum Moderator

    The newer version of timthumb is considered secure and is a drop in replacement.

    On a insecure host you can be hacked from adjacent accounts. Who is your web host?And, of course from old WP versions in your own account.

    You need search the database for php eval strings and any instances of javascript.

    In any event, work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.

    Change all passwords. Scan your own PC. Use

    Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting

    If you can’t do the work yourself, consider looking for a reputable person to fix it correctly on or freelancing sites such as Elance. (It’s not a good idea to respond to unsolicited emails from forums users offering to work for you.)

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Site Being Infected with Malware – help me find the source?’ is closed to new replies.