Help needed – War to hackers

You know this blog has been attacked several times by hackers (or crackers, call them whatever you want, I can’t tell you how would I call them).

I tried everything, such as 10 ways to secure your WordPress blog and changing the hosting.

Attacks continue, with injection of malicious code in javascript files.

I had my hotsing service, HostGator, monitoring the activity on the blog and they said “We found a few PHP shells on your account and removed this. This indicates that you have insecure scripts on your account. Please review each script and esure that you are running the latest versions”.

Obviously I am running the latest versions of everything, so I really do not know how to prevent the site for being hacked almost every day.

That’s why I need you… I am not a security expert but maybe some of you are.

I need some hints and tips about finding this insecure script and removing it once for all.

I will update this post with all information you need.

If you are a security pro, I can pay for your service or can give you a lifetime ad somewhere in the blog (but I’d prefer to pay :))


The blog has been attacked again. Look how did the modify jquery.js file


And this is the injected code

  • Chris

    Hey. If you’re running 3rd Party Application they might have malicious code or code that isn’t fully validating the user input.
    If you have uploads or whatever else on your blog, it might be the same.
    Also be sure to have the lates WP Version, since there are many sites spreading security holes and they are having crawlers searching for those sites with these versions.

    Just never trust the user.
    I’ve been wondering why Mozilla was saying that the site was malicious anyway.
    If you could give more information, it would be useful.

    Hope I could help a bit.

  • big fan of your blog
    do you use windows OS and filezilla as ftp client i had the same problem (iframe and script) injection due to filezilla

  • Emanuele Feronato

    @chris: I have some plugins, I can list them all if you need

    @niraj: yes, I have filezilla and various windows OS (XP, vista and 7) on the computers I use to manage the blog.

  • Nick

    One of the plugins can have a leak.

  • Emanuele Feronato

    OK I’ll list my plugins. Meanwhile I got another attack

  • Chris

    I’ll look into it when I’m back at home. Sitting in the train now ;)

    But looks really like some malicious assembler code that they try to run.
    I’ll take a look at it. Also you could send me a mail with your plugins and wp version so I can check out which of those may be the problem (and check the dark site of the web for exploits).


  • Chris

    Btw..In the meantime, try loading jQuery from the google servers so you don’t have to have it locally.
    Maybe that will at least stop this exploit till I or someone finds the problem

  • Chris

    Okay it seems it’s the
    I also could find many threads concerning the same problem.
    Most of them tend to change ftp password and for wordpress this link:

    Maybe someone find out your password due to using the same password as for the ftp on some untrusted sites..

    Since I really can’t imagine how they could change files on the ftp rather then having the password or having a bad hoster.

  • dear Emanuele
    some bad guys/programs were able to get in and get the password stored in filezilla (Every ftp info we type in filezilla gets stored somewhere it later shows the list when we click on the arrow button)
    I was able to get rid of the attack by
    1) manually removed all the injected scripts
    2) change the ftp password
    3) never used filezilla again as ftp client i switched to cuteftp

    and one thing i noticed was the hackers used to inject files in regular time frame like once in 2 hours , 5 hours or once a day

  • mel

    Hi. I’m not a security expert, but this sounds just like the kind of problem we had at work half a year ago.

    This was the problem:
    1. we received a mail from our ISP telling that they found some malicious stuff on our server.
    2. we checked, and it was true, some files had some weird code added into them, very similar to the stuff I see in jquery.js
    3. deleting these lines didn’t help, since they appeared back again and also in different files.

    I had to look into this. This is what I found:

    To get right to the point, the reason the server was infested was because none of the PCs at work had virus protection lol. The problem was, that one computer, that had access to server (had username/password stored) was infested with a trojan horse. So what did this trojan do? It connected to the servers it had the passwords for and started infesting files it found on the server, mainly php files in this case..

    So basicly all the servers that I had stored usernames/passwords for in FireFTP or CuteFTP, were infected as I later found out. ouch!

    niraj mentioned iFrame, we had something to do with that as I remember, the trojan adding weird lines between iFrame tags if I remember right.

    How to get rid of this:
    1. scan all the computers that have access to server or change the server user/pass and scan your computer
    2. i suggest doing an online scan! TrendMicro free online scan:
    3. when you are clean, I would change the server user/pass again
    4. now the server – what I did was remove the virus by hand (deleted the lines in the files in notepad), but I suggest you follow the tutorial Chris posted. the point is to get rid of all the trojan added lines in your server files – either do it by hand or with a virus protection

    my employer went and bought protection for all computers after that, that was a good lesson for him :)

    always use virus protection on your computer! Remember that supposedly around 80% of anti-virus programs that are cracked and downloaded from the web, have trojan viruses already in them!

    hope this helps, you have helped me a lot :)

  • Chris

    As mentioned before the attacker must have had direct control over the ftp or control over some plugins that had upload privileges.
    Or he just had a way to upload a prepared PHP file which he can use as FTP client.
    Therefor he can do all the things you could do -> execute Shell cmds, Upload/Download stuff, getting the password of the Database and maybe aswell for the FTP.

    Some options:
    – Try to detect and delete ALL backdoors he has opened. That’s kinda hard, since you can’t be sure
    – Fresh-Install with the newest version use working backup (though you might not have backups or you can’t be sure they are clean).

    Also as niraj mentioned: AntiVir-Tools! Surfing without it is just insane.
    But I’m sure you are using some kind of, so I don’t want to tell you not to use *.exe from people and sites you don’t really know ;)

    Hopefully you can get rid of those scriptkiddies..

  • Hey man, there is a little trick to sure that files won’t be modified. Just disable the write permissions. try to remove all write permissions from .js or .css files.

  • Emanuele Feronato

    thank you to everybody.

    I have McAfee Security Center installed, obviously an original registered version.

    Now I am scannin the PC with HouseCall, I’ll update you when done.

  • Have you ever considered switching to a CMS besides WordPress? Or even making your own? For the low amount of features in WordPress that you actually use, I think it may be worth making your own system for posts. That way the exploits wouldn’t be very well known.

  • Concerned User

    I can help. Email me please.

  • Chris

    I wouldn’t recommand that, since that would take much time and most selfmade stuff isn’t secure enough (because people forget to validate and sanitize data…).

    @Ramon: That won’t protect it from being exchanged or modified if the cracker has the FTP password.

  • I don’t understand why bad people atacks your website. Anyway i hope you solve security problems.

    This is the best blog ever.


  • Niall

    Macafee is your first mistake, haha. Slow, bloated, overall not very good in my opinion, Avira Antivir all the way.

    Change your jQuery src to Google API’s one – – preventing more injection and commonly used so it’s likely it’ll decrease load time as it’s already in the user’s cache.

  • Guest

    i think your problem is WordPress… since it’s open source, it has a lot of exploits, some are fixed others are not even known yet, and the hackers find new exploits every day…

  • AnotherGuest

    Maybe screaming “My website is being attacked because it has security issues that I can’t figure out” is not the best way to avoid being attacks even more ?

    Just a thought…

  • It looks like it could be a plugin or even the host isn’t performing right in the security. Why don’t you change the file CHMOD, to make it unaccesible? Maybe that could stop the idiots hacking you.

  • Andrew J

    im no expert. but id guess that listing a load of information about the blog could make it even easier to hack

  • KrazyBig

    Is this a SQL injection attack or file modification? If it is the latter, you should be able to chmod the permissions on the WordPress directories to prevent the modification of files. I used to have a few problem with hacks on some of my sites but since making that change, I haven’t had any issues.

  • Hi,

    Sorry to hear that your blog is being hacked. I am no security expert but similar problem happened to me on one of my game sites made in wordpress. I downloaded my whole site to my local drive. Then I scanned every file like php and css and js and removed the encoded functions stored by the hackers. Online I deleted all the files in my web directory. I installed a fresh copy of the latest wordpress with latest versions of the plugins I use. Then from online file manager I uploaded required files like themes and uploads folders. I had to reconfigure some settings. :( . There is a security hole in the commenting system in wordpress I guess. So I had to disable user comments. I think you should change your ftp software. Never store any password in any program on your computer. These programs might have security leaks which can be exploited. I use Kaspersky internet security and its good.
    I have learnt a lot from your blog and tutorials.
    Wish your all the best.

  • Upgrade to the latest version of wordpress

    Change FTP login and password

    Check if the plugins have bugs

    The gates of the site to scan for open ports from backdoor

  • Hi Emanuele

    I decoded that string. It a bunch of java and php code, but I don’t know any of these languages. I used flash to decode it.

    My advice is to disable the Eval() function. It’s used a lot of times, over and over again until the whole code is recreated to it’s original state , after witch it is executed

  • Now you have trojans.
    2009.12.11 15:53:02 Firefox Denied: Trojan-Downloader.JS.Twetti.a

  • Emanuele Feronato

    some quick info:

    1) CHMODding the files did not stop attacks

    2) Sometimes the FTP time does not even change

    3) My computer is clean, but I have to admit I used a password that’s not unique in all accounts I registered around the web… I am going to change it with a new, unique one, and we’ll see what happens.

  • Chris

    CHMOD will only change the permission of the files…But if the hacker has the FTP Login, it’s useless.
    If he is using other plugins that need 777 CHMOD, Emanuele can’t change it or the plugin won’t work.

    Also people read what others have suggested already…I think everything has been said now at least twice.

    Emanuele, didn’t you want to list up the plugins you’re using and WP Version? You can also try to hack yourself: Search the exploits (i.e. that fit your version and try them. If you have success, you know you have either to upgrade or fix it on your own. (mostly these are blind SQL injections in some parts when wp or a plugin isn’t escaping the userinput).

    I hope you can get rid of those attacks soon.

  • Emanuele Feronato

    My plugins are:

    Akismet Version 2.2.6

    MobilePress Version 1.1.3

    Multi Column Category Version 1.0

    WordPress Exploit Scanner version 0.7

    WordPress Firewall version 1.25

    WP-PostRatings version 1.50

    WP-Syntax Syntax version 0.9.8(without “test” directory that can be exploited)

    WP Extra Template Tags version 0.4

    WP Page Numbers version 0.5

    WP Security Scan version

  • Avi

    I posted my earlier comments in the wrong post. Apologies. However our offer still stands. Do let us know if you need our help.

  • PA

    Recently my site was also affected with a similar stuff.I was using Filezilla FTP ,Windows OS

    IMPORTANT -> Stop using FileZilla or any other FTP to access your websites for some time.

    1) Contact your hosting support,provide them with the exact code & ask them to search for the code in all your files,especially .js files in plugin folder.
    2) Change all your passwords – FTP,Mail,Logins -everything
    3) Ask the support for FTP access logs(they have access,if you are on shared hosting)& look for previous login attempt from IP other than yours.
    4) If you find a login is made from that specific IP in your FTP log ,even after changing password,change it once again!!

    In such cases,your hosting support must co-operate with you, in eliminating all this.

  • I check your server, there are too many open ports, including a port running a service unknown

  • I’ve seen a similar issue where a PC was infected with a gumblar variant (up to date AV didn’t recognise!) which sniffed ftp details. The outgoing data also bypassed a firewall by attaching to an svchost instance. So don’t be too sure a quick scan will give you an ‘all clear’ for this route of vulnerability. The way to -know- and not -guess- how the attack is happening is to check server logs against modification time of infected files and correlate users/ips/access at that time. Once you -know- how the attack happened you can sort it rather than stumbling from one ineffective solution to another. I’ll reiterate again – don’t use shared hosting (shared hosting is a complete waste of time for professional use – can’t modify firewall rules e.g lock ftp to your own, often can’t get access to ftp logs, change apache/ftp users permission, no sftp or ssh etc etc).

  • Andrea, he’s running on a hostgator host – he cannot make changes to the overall server config that would make any difference, and it’d be unlikely that a shared server with 1000’s of people on it has been rooted. I’d take the hostgator advice with a pinch of salt, it’s a standard canned reply, the tier of support staff you will deal with at large companies like this haven’t the knowledge or time to really get to the bottom of the cause.

  • sandro
  • Emanuele Feronato

    I changed the FTP password and never used the FTP since then, but attacks continue.

    I think there is a unsanitized PHP executing scripts… but I can’t find it…

  • Vadersapien

    If you never get to find it, I think the best thing to do would be delete everything on the server(maybe keep MySQL tables), and restore from a backup…although that PHP file might have existed when you hosted the site on the other server, explaining why the attacks carried over between servers…

  • If you’re sure it’s not via ftp scan your http access logs and correlation of those with file modification times is the next step.

  • oh man, i get same attack few weeks ago.
    what you HAVE to ad – as Vadersapien said:
    purge your http directory, upload latest installation of WP and connect them to your MySQL tables. Or restore backup BEFORE(you have to be 100% sure) your http was modified.

    how this attacks works:
    you lost your password to TrojanX, TrojanX sent all ftp info to special serverY, and leaved php file for case if you will change pass. Server Y each day each time trying to Do same Script for each access that it has, if access is not working, it will try PhP file, if not – attacks will probably stops.

    this all process is auto-matic. so it have to be not personal stuff, just some hazkers doing what they can to get extra $ =(

  • Jafar

    Try using N-Stalker to search for threats. It’ s really a good program :)

  • Pingback: Emanuele Feronato - italian geek and PROgrammer()