I've got some sort of malware or virus on my site - http://www.inventinginteractive.com - and am hoping that if I describe what's going on someone can help me find a fix.
- I first noticed this after receiving a "Malware Notification" email from Google
- The only visible thing I notice, occasionally, when I look at the site, is a small black dot in the top-left corner of the page, above any other content.
- When I view the page in Firefox and use the Firebug plugin to examine the dot, I see that it's a 1x1 pixel iFrame with a src link to another site. The link varies, I've noticed it pointing to corneliuspropertyvalue.com and pi.mecklenburgpropertyvalue.com. The link is located at the top of the <body> tag, just below a <block><ad><script src="/wp-content/themes/jquery.min.php"> set.
- When I choose "view source" from the browser menu, the code I described above doesn't appear.
- If I reload the page, the iFrame is no longer there -- it's gone.
- I had noticed a bunch of accounts in the Users page that I hadn't created. So I deleted them. I also changed my passwords.
- I've looked at all the template files in the Appearance->Editor area and had removed a couple blocks that looked like base-64 text. But several days later the iFrame still is appearing.
- I've noticed a strange behavior when I first go to the admin page. Occasionally it will show that there is 1 update -- with a (1) button next to the Updates link. But there are no (1) buttons anywhere else on the page. (ie. usually if there is an update with a plugin, there'll also be a (1) next to plug-ins.) If I click on the Updates link it says that everything is up to date, and if I return to the home admin page the update button is gone.
- I've read that I should look through my database for bad info -- but I'm not sure what to look for, and if I do find something suspicious, how do I safely remove it without messing everything up.
- I'm running the latest version of WordPress, and all my plugins: Akismet, Auto Thickbox, Clicky for WordPress, Google Analytics for WordPress, ShareThis, WP to Twitter, and Yet Another Related Posts Plugin. As part of tracking this down I've also installed these security plugins: TAC (Theme Authenticity Checker), WP Security Scan
- I'm hosting the site using a Mediatemple.net shared Grid Service server.
Any help would be appreciated -- thanks,