site hacked, cant figure out where the bad code is

my site got hacked and its killing me. i am computer stupid, so this code stuff is foreign to me. i just use a wordpress template. anyway, i changed all passwords, updated plugins, etc. but i have no idea where to go to find this bad code. i keep hearing the htp access file, but there is nothing there. i checked it on sucuri and i get stuff like this:

Web site defaced.
Details: http://sucuri.net/malware/entry/MW:DEFACED:01
</br><script type="text/javascript" src="http://K4C3-Undetected.googlecode.com/files/K4C3 Undetected.js"></script><TITLE>MFP'./Saints.R-H4CK</TITLE> <br/><font face="Nosifer" size="7" color="red" class="a">PLEASE PATCH </font><font face="Nosifer" size="7" color="white" class="a">YOUR SYSTEM NOW!!!</font><link href='http://fonts.googleapis.com/css?family=Averia+Sans+Libre' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Orbitron%3A700' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Nosifer' rel='stylesheet' type='text/css'><meta name="Description" content="Has Been Hacked by Saints Hacker Team "><script language="JavaScript">function tb5_makeArray(n){ this.length = n; return this.length;


and

Web site defaced.
Details: http://sucuri.net/malware/entry/MW:DEFACED:01
</br><script type="text/javascript" src="http://K4C3-Undetected.googlecode.com/files/K4C3 Undetected.js"></script><TITLE>MFP'./Saints.R-H4CK</TITLE> <br/><font face="Nosifer" size="7" color="red" class="a">PLEASE PATCH </font><font face="Nosifer" size="7" color="white" class="a">YOUR SYSTEM NOW!!!</font><link href='http://fonts.googleapis.com/css?family=Averia+Sans+Libre' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Orbitron%3A700' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Nosifer' rel='stylesheet' type='text/css'><meta name="Description" content="Has Been Hacked by Saints Hacker Team "><script language="JavaScript">function tb5_makeArray(n){ this.length = n; return this.length;

and

Web site defaced.
Details: http://sucuri.net/malware/entry/MW:DEFACED:01
</br><script type="text/javascript" src="http://K4C3-Undetected.googlecode.com/files/K4C3 Undetected.js"></script><TITLE>MFP'./Saints.R-H4CK</TITLE> <br/><font face="Nosifer" size="7" color="red" class="a">PLEASE PATCH </font><font face="Nosifer" size="7" color="white" class="a">YOUR SYSTEM NOW!!!</font><link href='http://fonts.googleapis.com/css?family=Averia+Sans+Libre' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Orbitron%3A700' rel='stylesheet' type='text/css'><link href='http://fonts.googleapis.com/css?family=Nosifer' rel='stylesheet' type='text/css'><meta name="Description" content="Has Been Hacked by Saints Hacker Team "><script language="JavaScript">function tb5_makeArray(n){ this.length = n; return this.length;



so where the hell is this script and how do i fix it? its driving me crazy and my host (siteground) is willing to help for just $200. i dont have the money to pay that. any help would be appreciated

If you are using wordpress just login on your FTP and search for files which are not from wordpress. Just open the other website you have and see what are the defualt wordpress files (PHP, folders)

This plugin should help...

thats the problem. i dont really know what is from wordpress. i do have another site, same theme and everything. the only difference is the infected one has a ton more content and a forum was attached to the infected site as well. i compared and these are the files that are on my infected site but not on the one that is ok. i am hesitant to delete anything because i dont want to jack up my site. it is basically 2 years of info that i dont want to lose

files maybe to be deleted:

attachments
css
data
forums
home
include
installation
pbipages (my website is pro boxing insider, so that is pbi)
resources

(those were all folders)

robots.txt
server.php
sitemap.xml
sitemap.xml.gz
publication list.xml
menu.xml
page1.php (it has page 1 thru page 7)
init.php
htaccess
gazpomag.zip
f70a31916f6384ca30ec24e0d0a6c68b.php.
htaccess
htaccess.bkp
htaccess.bk
htaccess.old
config.php


like i said, without knowing what they are i am scared to just start deleting stuff

i added that wordfence plugin, put when i ran a scan, it showed nothing. is this a better option?


also, in the backend of my site on the plug ins page, i get these messages. not sure if related and i dont know what it means

-FTP credentials don't allow to write to file /home/proboxin/public_html/.htaccess

-W3 Total Cache Error: Files and directories could not be automatically created to complete the installation.

Hi,
Download all your website from your FTP to a new folder in your PC.
Use the soft of your choice (notepad++ for example) and do a research "find in a folder" for "Saints Hacker"
You'll find what you need

i just deleted my entire forum. it appears vbulletin got hacked bad and i was using an old borrowed version. so i wasnt gonna be able to keep it secure i think. thanks for those who helped

The next time just install SMF Forum. It's free and is easy to use. When you "borrowed" scripts from the web always check them for "bad" code. You can use this http://www.fileseek.ca/

nikiobicata said:

The next time just install SMF Forum. It's free and is easy to use. When you "borrowed" scripts from the web always check them for "bad" code. You can use this http://www.fileseek.ca/

Click to expand...

Three things: up in the left corner of the WP admin panel is a button about reinstalling WP. It does what it says this will clear any modified files.

Then install Wordfence. Let Wordfence scan the system. It will show all files that are different than what are in the official repositories and point you in a direction.

Number three, Siteground keeps backup copies for 90 days of your site and you can access these through cpanel. Restore your site to the day before the defacement.

I have heard of some people offering free templates to people because there are backdoors in them and vulnerabilities.
So can you trust the person who wrote the template.