SQL Injection?

They’ve inserted more code than the one in your index.php. Look for backdoors!

Hi fyllhund, thanks, I assumed as much, any pointers of where to look?

https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

https://ottopress.com/2009/hacked-wordpress-backdoors/

HI, thanks for the links I’ll take a look, the 2nd one doesn’t appear to work?

2nd was working yesterday
give it some time and try again

https://blog.sucuri.net/2011/09/ask-sucuri-what-about-the-backdoors.html
https://blog.sucuri.net/2011/10/evil-backdoors-part-ii.html

instead then.
ottopress is down though.

still recommend going through your whole database and check for hidden iframes etc.

HI, I have noticed that the hack reappears when a new post publishes, any ideas which files would be involved in this process so that I have a starting point?

I am having the same problem, this is changing ALL index.* files in the root folder of all domains on the same server, it is also adding the javascript to any file named login.* in the root folder of the domains as well.

You can stop it by changing the permission on index.php to 444 (or 0444)

Can you list what theme and what active plugins you are using and also any urls of rss feeds you are publishing from other sites.

If you dont want to list all that on here then I can setup an email address for you to send it to.

I can see if I have any of the same themes, plugins or rss feeds on any of my WP sites and we can start to find out what is causing this.

Thanks.

P.S my hack went to ner-aller.com DO NOT VISIT THIS SITE! and the site then infects your computer with the zbot.g virus.

You can view the coded and uncoded javascript that is being added here:

https://jsunpack.jeek.org/?report=09993f18392e6e53a20c5f4034e591b9d2b51ab6

Hi Valdor,
Yeah mine os from the same URL, I dont have any files names ‘login’ in the route folder but the index file is affected every time I publish a new post.

I use the ‘Convergence’ theme and whenever the file is overwritten it affects the formatting (which is handy as this lets me know that the file has been overwritten).

I have changed the permissions on the index.php to 444 (thanks for that)

I have re-uploaded the theme files and we went through the wordpress install files and DB but did not find anything (we even scanned the installation with a number of online tools and they did not find anything.

I dont think that the plugins had anything to do with the hack as I deleted all of the plugins and the hack still reoccurred.

I have just reported the URL on ‘https://privacyprotect.org’, I suggest you do the same and if found to be involved in spreading viruses, they will release the information of the owner of the URL.

Feel free to email me on [email protected].

Cheers ??

I’m having the same problem: everything up to date but that line of code keeps getting added to the index template (and no where else I can find). I just turned off write permissions for the index file, but am a little worried about how what the exploit is that lets it in in the first place.