Jorge & Esmi,
THANKS! I asked my husband, (who works for Jive software, although he doesn’t know wordpress that well) for a bit of help. According to him, here’s how he fixed the problem…
The text you pasted above was not found in footer.php. However, there was PHP code in the footer:
<div class="clear"></div>
<?php $_c='#888'; $f = dirname(__FILE__) . "/footer_top.php"; if(file_exists($f) && is_readable($f)) require_once($f); ?>
</div>
</div>
<?php wp_footer(); ?>
</body>
</html>
This looked suspicious, so we checked out the file. (We pasted the file’s contents below in case you are curious.) By removing the PHP code in the footer, and removing the file, the footer was cleaned up.
Although he’s got the general gist of how this was hacked, would you be able to provide more detail on how the PHP code was actually inserted and if we should be looking for more script files to clean up?
Also, we changed all the passwords for all the admins & editors, and deleted all the spam users (there were over 15,000!). We are now working through the instructions in the links provided to try and secure the site.
We would not have been able to fix this without your help!
THANK YOU!!
~~~~~
Here’s the footer_top.php file with. (We added the space b/t the ? and the php):
[Moderator note: That code has been redacted, please don’t post hack code in these forums. Instead use Pastebin. Also note that code should be posted here with backticks wrapped around them and not apostrophes]
