amcjoe

Update: There are three index.php files changed.

— In WordPress root
— In wp-content
— In wp-admin

– JP

Back to the topic at hand, my site continues to be hacked overnight. Specifically:

— Malicious code appears in my footer. It begins with <script>var dC and continues with a long string of JavaScript.

— Virus protection blocks whatever it is attempting to do when I load a page (I use AVG). Turn off the virus protection, though, and you get rerouted to a malware site (don’t do this: I did it with great precaution and was blocked by my own security setup before I could get there).

— Yesterday, I overdid the correction and completely reloaded my site and restored my database from a backup. Of course, it worked but it was a pain.

— This morning I did a more careful look through. I noticed that my index.php file (in root) was modified in the very early morning. At the end there was new code added, which I won’t repeat here. It was similar to what was appearing in my footer. I deleted this code and now everything is fine.

It’s worth noting I am a Network Solutions customer (until tomorrow, at least) and I think it’s safe to say at this point this is their problem. Hackers have access to their servers and can simply change our files–this is why NetSol has twice this week changed my FTP password, including overnight tonight. I’m not a security expert, but I’m guessing they are able to detect the file changes after they are made, triggering the FTP password change; they just can’t stop it in advance.

Hope this is helpful. Sorry if there are inaccuracies or points that aren’t relevant to everyone.

– JP

@clayton, I thought you’d be happy about Matt’s post!

You more or less asked shashib to define the “fundamental issue” that NetSol addressed with its fix. It would have been nice if they admitted it, but Matt’s post is enough for me.

Until next time . . .

Thanks to everybody for getting on this so quickly, especially dugbug and the folks at Sucuri.

One thing that may be of help for people with sites they still can’t access/administer:

It seems NetSol has been restoring databases from backup–mine was restored this morning around 9:30. They’ve also been changing database passwords.

So I have no idea when my site got hacked, or if it go hacked. All I know is that my site was down because the wp_config had my old password stored in it. I have ripped everything off the server, restored all files from a local backup, and changed my database again via NetSol and in my wp_config (I assume NetSol changed my password, but I thought it prudent to change it again just in case). Now everything is fine, assuming the chmod advice does the trick.

Note re: NetSol: I’m curious when/if they were going to let people know about what they were doing to protect the hack from spreading. When I called this morning, I got nothing but finger pointing at the “WordPress Community” and a promise to “escalate the issue.” Simply saying that they restored my database from backup and changed my password would have been helpful.

Going to be interesting to watch NetSol unwind this.

Thanks again, everyone. You are all collectively awesome.

-JP