My wordpress site has been hacked. Through this program:
http://sitecheck.sucuri.net/ (…)
i found that it concerns 2 files (for now) and it is. js files.
….dk/wp-includes/js/l10n.js? ver = 20101110
….dk / wp-includes / js / jquery / jquery.js? ver = 1.6.1
It is some kind of Trojan (Cruzer B). The inserted (by the attacker) code is quite evident in both files (have seen it via Notepad)
The original code of one of the files looks like this:
function convertEntities (b) {var d, a, d = function (c) {if (/&[^;]+;/. test (c)) {var f = document.createElement (“div”); f. innerHTML = c; return! f.firstChild? c: f.firstChild.nodeValue} return c}; if (typeof b === “string”) {return d (b)} else {if (typeof b === “object “) {for (a in b) {if (typeof b [a ]===” string”) {b [a] = d (b [a ])}}}} return b}; was
Can I just manually delete the hacked code in both and expect that the site is working again or will I even destroy more stuff?
Download a new copy of WordPress (making sure to get the same version), extract it and see if the files are present.
If they are, replace the files in your installation with the originals.
If they’re not, you should be able to delete them.
I recently cleaned up a site with the same exploit which was caused by an insecure script timthumb.php
First make sure you replace timthumb with the updated version. If you already replaced all the WordPress files you need to make sure your theme files are all clean (even non activated themes).
I also found the shell script hidden in the servers /tmp directory and in wp-config.php which you might not have replaced. In wp-config.php the malicious code was hidden after 3000 blank lines so make sure you are really at the end of any file you are checking.