ThorHammer

And beware: this *might* be an indication that somebody is trying to hack the site.

And I have just emptied and dropped this row. Everything works as it should.
It will be very interesting to see if this has any effect, among all the other things I have done, to prevent further malicious code injections.

No, José, I am using another FTP client, and yes, I have recently found a trojan on my PC and killed it. I have not checked if this client stores the login information un-encrypted as Filezilla does (as a very visible text file).
But still: The table row I found in my options really do look suspicious.

Yes…because, it might be easy just to query the db and get this very, very important information…

Yes, Esmi. In the OPTIONS table I have a row with option_name: ftp_credentials

The value is (almost – but it is straight forward the real ftp address and the real ftp login name and yes, it is marked autoload YES):
a:3:{s:8:"hostname";s:14:"webnumber51.theserver.com";s:8:"username";s:5:"the-real-username";s:15:"connection_type";s:3:"ftp";}

The information wordpress need in order to update plugins, themes and core are stored in the wp-config. The information I found in my DB (Options-table) (the row with ftp_credentials) is actually the complete information needed to get full ftp access to my server…! This cannot be a standard wordpress insert?

After googling myself to death I have found somthing that might be a very, very odd row in my OPTIONS table:

SELECT *
FROM <code>my_damn_database</code>.<code>my_damn_database_options</code>
WHERE (
CONVERT( <code>option_id</code>
USING utf8 ) LIKE 'ftp_credentials'
OR CONVERT( <code>option_name</code>
USING utf8 ) LIKE 'ftp_credentials'
OR CONVERT( <code>option_value</code>
USING utf8 ) LIKE 'ftp_credentials'
OR CONVERT( <code>autoload</code>
USING utf8 ) LIKE 'ftp_credentials'
)
LIMIT 0 , 30

Should I delete this row? Now?

Yes, I do have an old DB backup, but I miss of course some entries in it. And yes, I have changed all passwords – everything.

Yes, I have spoken to them, but they are not willing to take any responsibility.
By the way, the code inserted into my .htaccess and my themes header are easy to find, it always start with: #336988# with the code between and ends with a trailing slash.
In htaccess this entry is cleared: RewriteRule ^(.*)$ https://digitalphoto-art.it/traf.php [R=301,L]

The malware code in the header template is a php ecoing a javascript which starts like this: dbshre=220;try{window.document.body*=2}catch(gdsgsdg){if(dbshre){zaq=0;try{v=document.createElement(\"div\");}catch(agdsg){zaq=1;}if(!zaq){e=eval;}ss=String;asgq=new Array(31,94,11 etc etc.

Thanks for your reply. Sadly, my upload dir is clean as water. All years. Each month… I have checked everything. It has to be something in the database.

Sure, I only told it an easier way. I did as I mentioned, and I got rid of the infections.

And I will never again hesitate to upgrade.

I guess the malicious code in the header starts with a php declaration
<?php
The you probably will see something like this: #336698 followed by a javascript call and a lot of encoded characters. Delete everything.
THEN you will probably find malicious code in the top of your htaccess, starting and ending with something like this: #336698. Delete everything.

Further action:
Change password to your control panel, database user (make them STRONG) and of course your admin account. Generate a new salt code and change in wp-config.
Then you will probably find a lot of php.ini files in almost every folder. Delete them. Your will also find php_errorlog(s) scatterede around. Delete them.

Then you must re-download wordpress and your theme and your plugins. Start with your theme. Delete every file and upload fresh files. Do the same with wordpress, but be sure that your don’t delete your wp-config. Then do the same with plugins. Deactivate and delete and re-upload and activate.

Open your wp-config and compare it with the sample wp-config. Any BIG differences? Be sure that no malicious code is left.

Delete ALL .TXT and readme.html and liscence-files. (They provide hackers with detailed information about the versions of your wordpress and plugins, so they can use known vulnerabilities in order to destroy your site).

THEN you should add some serious htaccess-rules. Read more here:
https://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess
OR you could install some security plugins like bulletproof security or wordfence. Go for the pro verisons, it will not cost you antyhing compared to the time and hassle spent on cleaning your site.

With all these tasks accomplished, everything might be fine. For the future: Be SURE that you ALWAYS have the latest WP running and that you ALWAYS have the latest versions of plugins. When an update is ready, you should install it immediately.

And when I do so, the plugin styling disappear and I get a 500 and has to go to the root and delete the .htaccess….

Try to include the content within the headers H1.

YES!

It WAS Aksimet! I had to enter my good old API-code to every single site in the multiste and – voila!

??