1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A little WordPress guidance needed.

Discussion in 'Blogging' started by TNphoneman, Feb 23, 2011.

  1. TNphoneman

    TNphoneman Senior Member

    Joined:
    Dec 15, 2010
    Messages:
    1,177
    Likes Received:
    695
    :feedback:Has anyone experienced this before?

    These two items I found located on my sites in the index.php files and on the web page they came up after the closing tags. The problem I am having is discovering the source. My computer is clean and other sites that I have done are not infected with this. It infected every default index.php file that is part of the wordpress install. What I have done so far to these is.....

    1. Changed the password and username for my hosting account.
    2. Changed the FTP password
    3. Used FTP to clean up all the files and then changed the file permissions to read only.

    Is there a plugin known to do this. Some sites are just sitting there with the default install. How do I go about locating the source? It is on shared hosting on GD for now.

    Thanks for any guidance.
     
  2. ouchthathurts

    ouchthathurts Regular Member

    Joined:
    Feb 16, 2011
    Messages:
    438
    Likes Received:
    654
    Occupation:
    SEO
    Location:
    Japan
    Im really new to creating websites/blogs but I think you have some malware hidden in your index.php. Sorry im not much use I dont know how or where it would have come form.

    Have you installed any plugins on your wordpress blog??
     
  3. TNphoneman

    TNphoneman Senior Member

    Joined:
    Dec 15, 2010
    Messages:
    1,177
    Likes Received:
    695
    virus total comes back clean.

    Plugins? Yea, that is why I asked if there was one know to place this crap on a site.

    It hit every wordpress installation on the hosting account.
     
  4. wickedguy

    wickedguy Supreme Member

    Joined:
    Jul 22, 2009
    Messages:
    1,402
    Likes Received:
    1,379
    Location:
    BHW--> South Africa
    Home Page:
    i suggest you disable all your plugins. After you disabled them all, check your index.php. If that code is still there, it's not the plugins.

    If the code disappeared, enable the plugins one by one and after each enable check the index file. You WILL then find the culprit.
     
  5. 2surfcr

    2surfcr Newbie

    Joined:
    Feb 15, 2009
    Messages:
    46
    Likes Received:
    6
    Respectfully, that is not entirely true. I used a version of SEOpressor from downloaded here or elsewhere and it hard coded a link into the index.php

    I found the link when checking outbound links from my site and, like you, thought of the plugins. Luckily, I only had one pirated plugin SEOpressor and turned it off but the link remained. I had another install using the same plugin and whammo the same link and hard coded.

    My suggestion is to look at the plugins that are premium plugins that you downloaded for free, and examine those first. There is a reason why BHW ask's for virus totals but I am not a expert in what exactly those virus scans look for. It does not take long to find the culprit especially if you have the code as shown above.

    FYI: Most plugins will pull their inserted code from the index.php when deactivated but that is not a sure thing.
     
    Last edited: Feb 23, 2011
  6. coxie

    coxie Registered Member

    Joined:
    Oct 18, 2010
    Messages:
    74
    Likes Received:
    11
    My money would be on it being a plugin, even disabling them might not remove it. You might have to remove it manually.
     
  7. TNphoneman

    TNphoneman Senior Member

    Joined:
    Dec 15, 2010
    Messages:
    1,177
    Likes Received:
    695
    I have removed it manually. I was just trying to figure out how it got there in the first place so I can remove the culprit. I do not have any pirated plugins on the sites at all.

    Guess I will have to get the shovel and keep digging. I can't find anything on the net other than those are in the index.php files.
     
  8. davijg

    davijg Newbie

    Joined:
    Jun 12, 2009
    Messages:
    38
    Likes Received:
    7
    I had a similar problem on a WP site, I would get hundreds of pharma links in my footer, every time I deleted the javascript it came back in days. I couldn't find a dodgy plugin or anything. In the end I installed WordPress File Monitor to let me know everytime something changes, then I would quickly go in and update the footer. I also changed my admin to something else. No problems now but I got the site banned from adsense!!