2.5 updated to 2.5.1 hacked

Got anything special in the root dir? .htaccess file? PHP.INI? If you deleted the WP folder and reinstalled clean, then it must be outside that folder.

had an htaccess AND a php.ini in my root but deleted them trying to figure out the problem. Sorry I didn’t added that to the list of things I have done.

I do have other folders that I use for testing but nothing weird shows up in them (pretty simplistic HTML files and some images >I< created)

Well, if it was me, I’d grab a copy of the whole thing via FTP and then run greps on it looking for where that code is.

It’s somewhere in there. That’s the best we can say.

I guarantee you that your site has files on it, that you didnt place there …and thats just the files that are being called — thats not including whatever is calling the files.

If you want help figuring it out, Im available — I do charge, but Im very reasonable.

contact me via my contact form on my web site if you give up.

thanks everyone, will download the whole thing and see what I can find. It must be outside of the WP folder so I will have to search everything. Is there any piece of code, or file, in specific I should be looking for?

EdGarcia, saw the same on a 2.5.1 version install last week – source code of public site AND admin pages had this instead

<div><font style="position: absolute;overflow: hidden;height: 0;width: 0"><a href=...........</div>
</body>
</html>

AND the XML export PLUS the feed had the <div><font style="position: absolute;overflow:....</div> at the end of the documents.

We went with the check and cleanup of files, folders, themes, SQL route first including process ala video seen here. Like you, the result of new install of WP and database import still showed the hack. Banged our heads on the walls.

Our second route and solution found was (after backing up everything including sitemap.xml and writing down ALL plugin settings, API’s, etc.
1. delete all files including wp-content (remember we backed it up)
2. create new database
3. upload new WP files and folders, wp-config.php set up for new database
4. run install.php
5. created users to catch multi-blogger posts
5. asked webhost to increase max file upload to 20mb
6. imported cleaned up XML file and assigned users
7. checked website using default theme – viola, nothing at the footer of theme, admin pages, feed nor in new export of XML.
8. uploaded plugins and per notes taken down before closing old site, set respective configurations
9. check of site posts/pages, admin pages, feed, new export of XML, new export of database clean
10. uploaded customized theme (double checked for strange code, none found)
11. check of site posts/pages, admin pages, feed and new export of XML, new export of database clean
One week later, friend reports site still clean. “Hardened” his site so well, I got locked out when I forgot to put new password to login. Oh well.
Good luck.

I suppose I overread, but did you (both) check the footer.php (and/or other theme files)? If the theme was altered, you can upgrade, backup, reinstall, etc. all you want, but if you keep using the same theme, nothing much will change. Mercime deleted the wp-content folder, which includes the theme, which forced him to put up a new theme (or a clean download of it or the version on the computer at least) which might have solved the problem.
Just my 2 cents.

Yes, Gangleri, all theme files especially footer.php was checked because the hack kept appearing there. [Added: We even deleted <?php wp_footer(); ?> just in case, but hack still appeared.] We deleted the wp-content in first and second routes to find solution. But after new installation with XML import, checked with default theme first, when it passed clean, uploaded the customized theme from computer which was used in the original install.

Part of cleanup process was exactly like shown in video, but that was not all. We were lucky to have caught the hack. We were working on altering the home page the night before, looking at source files and all was well. When we went back to working on implement changes the next day (roughly 12 hours), the hack showed up.

I guessed so ??
Roy

Problem solved. Deleted ALL files from server and uploaded back up files. Seems the hack is inside files but not on database. So if you get the DD4 or DD5 on the inserted code you can safely replace all your files with a backup and you are set. Upgrade often! is all I can recommend.

mercime saw your posts after I posted mine (that is what I get for not refreshing page). Thanks, it seems my hack did not included anything like that on database though. I think there are quite a few variants of the hack.

I’ve just had the same problem. I don’t know how it got there but if you go to the index.php file in your root directory you’ll see the offending code after the closing html tag. Delete it and you should be good to go ??

I just found a similar crack that was implemented as a “graphic” file, but in reality it was a php script named “lnu_php.jpg”. Looking at the code in this script, I found it is fully capable of allowing the cracker to access and modify any file on the system that Php has access to.

Being an image file extension, it would be really easy to have had a link to it embedded in any number of files to cause it to “re-infect” upon loading, and who really looks for extra image tags?

Note that the site I found this crack on does NOT run WordPress, but is a not-for-profit site I occasionally do tech support for, so it isn’t a WordPress specific problem.

HTH!

At last I found someone with the same problem. I have just discovered the exact same thing in my index file. I deleted it all yesterday, let my host company know of this problem but it was back again today. Just different garbage this time. I have a very, very simple, 5-page site I designed myself a few years ago. No bells and whistles whatsoever. I looked through all the files and directories yesterday and everything seemed normal except for the index file. Now…. there were actually two weird little things that I didn’t add. Something in the folder called “m” and another one called “ksp.php” The one called “m” just had “index” in it. The other one had some scripting stuff which I have since found out is bad, too. The host company removed both of these things but it seems like my reoccuring problem with the garbage in index occured after they had removed these. I don’t know what to do? Any ideas? As I said, my website is boringly simple…. and I can’t see anything untoward in the files at all ?? Help!!!!!

Any ideas?

Besides what?

You dont even indicate what version of wordpress you are using.

here’s the wisdom:

1. you ought to be running wordpress 2.7

2. if youre not, and your site has already been exploited — then you need to ‘clean’ your web site and THEN upgrade.

3. If you are and your site is showing signs of being exploited right now, you were probably hacked before you upgraded.

there are tons fo threads on here that already address the process.

https://www.ads-software.com/search/exploited?forums=1
https://www.ads-software.com/search/hacked?forums=1

Lastly, what Alderin described is very common-place – no big surprise.