header.php hacked

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Hello, is there a reason why you found the hack during update ?

Hello, is there a reason why you found the hack during update ?

The thing was accidental.Having arrived the notice of automatic update I went to check out the sites and I found three hacked, on three different servers, with the same template. But trying to use as the default template also the header.php was continually overwritten.

Thanks to kindly provided suggestions by Andrew Nevins I set patiently to work. Downloaded locally a copy of one of the sites, and scanned with Kaspersky and other antivirus tool, I could not find malicious code or viruses.

Restoring a backup copy of your website does not solve the problem.

From the reading of the site log files were not unusual access via ftp.

I then tried to disable all the administrator except my changing my password, which was already strong with a extrastrong created on the fly from the admin panel of wordpress site.

For more than 24 hours in any of three sites vine longer overwritten the header.php template and I’m happy, really happy!

I make this relationship that will perhaps help some other user with the same problem.

TANKS wordpress volunteers for the wonderful work!!!

Hi there.
The exact same thing is happening to me – literally the same file and the same code.

May I ask – what is the Theme you are using?

Hello,

Same problem here, but with older version of WP (4.3.x).

header.php content:

[ Redacted, do not post malware code in these forums ]

Decoded content:

[ Redacted, do not post malware code in these forums ]

There are no successful logins into FTP/WP-Admin (based on logs)… but somehow he managed to change header.php’s content.

What I’ve done:
– reset all user passwords
– replaced wp with the latest version from repo
– changed all salt keys from wp-config
– replaced all plugins with latest versions from repo

Hope everything is fine now! ??

and the same response — you’ve been hacked.

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Thanks @sterndata! Already solved.

What theme are people using? Trying to find a common denominator.

@bgd01: custom theme

Please do not post malware code in these forums.

It really does not matter what the code is, that’s not how they got in and the code does not matter one bit. What matters is that the attacker got in. You need to delouse your installation or another compromise will happen again.

As already indicated, please remain calm and carefully follow this guide.

When you’re done, you may want to implement some (if not all) of the recommended security measures.