Support » Fixing WordPress » wp-includes/query.php modified – hacked

  • Resolved falshiw


    sorry if I write this in the wrong section.

    This is my first post and I’m only writing it, because I spend 6 hours trying to find how the hell a site was hacked. Finally I found what is wrong and I want to share it.
    I couldn’t find any similar case anywhere (can’t say I tried very hard)

    Problem was that in the footer of every front end page, there was short script and invisible link to

    [hacked code removed – please do not post that here]

    I tried disabling plugins, searching for some of the strings in wordpress files but to no results.
    Couldn’t find anything in the database also.

    I notice that removing wp_footer() from footer.php fixes the problem, but that wasn’t good enough because there were some needed functions there.

    One of the functions was “check_wp_load”, which was very strange and I was unable to find what added it. Trying to remove it also didn’t work.

    Long story short, after several nerving hours, I found the problem.
    Someone added in the beginning of query.php these lines

    [hacked code removed – please do not post that here]

    I don’t have logs to find the hacker, neither I know when that happened. Don’t have the time to investigate. I just hope that if someone else have this problem, will find this post and save himself some time.

    sorry for bad English 🙂

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘wp-includes/query.php modified – hacked’ is closed to new replies.