‘Hacked’ post, code was inserted

Try a forum search for hacked for info on what to do.

Did anyone find out how this was happening? I have exactly the same thing – I run a couple of blogs and one of them has now had the Webstats code above entered twice into a single post each time.

My post gets modified by ‘team’ about a minute after the post goes live on the site. I have no username called ‘team’ on my site so have no idea where this has come from. All my plugins and my WordPress is up-to-date. As far as I know, I have also locked my WordPress down – anyone got any ideas how to track how this hack has happened?

BTW searching hacked isn’t helping because I can’t find any posts with a similar problem…

Any help & ideas gratefully received ??

I have a copy of 2.7.1 that also got hit by this.

I just got hacked with the same code, and I’m also on 2.7.1.

This happened to me with earlier versions, and it was a matter of manually removing the code from the database (using phpMyAdmin) and updating from 2.5 to 2.7.1. I *think* it is an “SQL injection”, but not entirely sure how to fix the issue this time.

I’m going to create a new admin username, delete the “admin” user, and then change the names of the database tables (I’m using the default “wp_” prefix). Hopefully those steps will help prevent future hacks.

Meantime if anyone sees any other ideas, please post them!

Same code, injected into the middle of some, but not all, new posts, also on 2.7.1, although recently updated from 2.5 and I wouldn’t swear that it didn’t start in 2.5

couldn’t it also be some sort of plugin?

@pulmanomancer: I’ve only experienced this (as far as I know) in 2.7.1. Like you, it’s not all posts – it’s only happened twice so far and quite a few posts apart.

@cocaman: Yes, it is entirely possible it’s one of the plugins I run. I have quite a few running but all are fairly popular plugins. Although I actually have a couple of blogs all running pretty much identical plugins and only one of my blogs has been affected (*touch wood*).

I’m having the same problem. I hope someone shed some light on how to stop this happening.

I think the list of used Plugins can help the developer team and speed up the tracking process.

@nyirocsaba: Great idea.

These are the plugins on my site. Maybe if we can all say yay/nay on each of the plugins below we can see if there’s a common theme between us all?

WordPress 2.7.1

Akismet 2.2.4
All in One SEO Pack 1.5.1
AutoMeta 0.9
Breadcrumb Navigation XT 1.10.1
Category Widget Cloud 1.7
Category tagging 2.3
Collapsing Category MEnus 0.1
Democracy 2.0.1
Democracy Widget 2.0.1
Fancy Excerpt 2.9
Google Analytics 0.65
Landing Sites 1.4.1
Maintenance Mode 4.3
Most Commented 1.5.1
Optimal Title 3.0
Popularity Contest 1.3b3
Post Teaser 3.11.3
Related Posts 2.0.4
Search Meter 2.5
SEO Friendly Images 2.4.2
Simple Tags 1.6.6
Sociable 3.2.3
Wordpress.com Stats 1.4
Wordpress Database Backup 2.2.2
WP-ContactForm 2.0.7
WP-Cumulus 1.21
WP Page Numbers 0.2
XSD Snapr 1.51

Akismet 2.2.4
Embed Iframe 1.0
Thumbnail Viewer 1.2

also you should search in admin area for posts with “iframe”
“noscript”, “Traffic Statistics”

https://groups.google.com/group/stopbadware/browse_thread/thread/777d1477f03cd643

we also should search for weird users in admin area, also suspects are the theme files

My guts tell me that you are infected with an older version of wordpress
and now you have an rogue user even after upgrade

but it could be an exploit in wordpress too

I did have weird users when I first noticed, but after deleting all of them and changing the password on the admin account, I’ve gotten at least one more.

The only active plugin I have is akismet

The theme I use is custom, and has been there for two years without problem (until recently).

To add to my plugin post, I have no users in the system other than me.

Don’t think it is a user issue for me either. I have two users registered, both of which are fine. New users cannot register on the site.

My theme is custom – I’m using WP-Glory.