It sounds like one of two issues, #1 your web hosting provider might be insecure, I’ve seen index.php hacks a lot over the years, basically hackers will break into your hosting providers and change all index.php files on that shared or dedicated server to there own version.
However it usually doesn’t re-occur so I don’t think that’s your issue, you stated it might be an injection, which sounds a little bit better.
First determine a date in which this started to happen then jump into PhpMySQL and start looking through your posts, comments and any plugin tables that are there, looking for php code in the content sections of those tables. Start looking a day or two before the injection started to happen and work your way forward.
There really isn’t a quick and easy fix to this you have to dig through your database to ensure it hasn’t been compromised. If you suspect a plugin was causing the issue, deactivate them all and then look in your PhPMyAdmin panel for any tables that have been generated by those plugins.
A lot of times plugin developers will not do a database clean-up when you deactivate there plugin so the tables still remain after you deactivate the plugin.
Buy yeah sorry I couldn’t be more helpful if its a SQL Injection you’ll have to take the time to dig through your tables and find the problem then secure the leak, but if its a hosting issue you’ll have to find another hosting account.
Start looking at your database entries first.
One thing that I’d suggest is search through your site for a file that contains the TimThumb script. Most times this will be a file called either timthumb.php or thumb.php This is one of the most well-known exploits out there, and if any theme or a plugin on your site use this, then you’re almost completely open to re-hacking.
@michael – Absolutely correct totally forgot to mention the TimThumb hacks.
Thank you for the help so far. I am not very experienced with this stuff (MySQL databases and coding beyond HTML/CSS, and basic Java) but if I understand what you are saying Neal, you want me to look through the MySql database for my WordPress install and see if there is any suspicious code there?
You seem to be suggesting that the database is in chronological order, so this code in question would be near the top?
Two other questions,
are even the newest versions on TimThumb insecure? (If so what would be suggested as an alternative plugin or script)
there were two older installs of WordPress on my site that hadent been updated in 3-4 months. could the malware have gotten into the server from there and then propagated to the rest of the folders? I have now deleted those databases and folders and am waiting to see if the malware is coming back.
Thanks again.
The newer version of timthumb is considered secure http://code.google.com/p/timthumb/ and is a drop in replacement.
On a insecure host you can be hacked from adjacent accounts. Who is your web host?And, of course from old WP versions in your own account.
You need search the database for php eval strings and any instances of javascript.
In any event, work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex.
Change all passwords. Scan your own PC. Use http://sitecheck.sucuri.net/
Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting
If you can’t do the work yourself, consider looking for a reputable person to fix it correctly on jobs.wordpress.net or freelancing sites such as Elance. (It’s not a good idea to respond to unsolicited emails from forums users offering to work for you.)
