Hacked – URL Injection

  • First of all let me tell you about my web site rubyslippersbcn.com. I keep the WP version always updated within a few days to latest version.
    So now i have 3.51 with Atahualpa theme latest version.
    A couple of days ago I noticed some text flashed for a few seconds before my site loaded. Right click; view source and i found this:

    <div id="viru39sesl" style="visi
...

    [code moderated - please do not post this kind of code in the forum]

    So I started looking around for this and came to the conclusion that i was hacked, backdoored and URL injected. backed up my local copy and put it in a usb stick, deleted everything and downloaded the online version to search for strings like:
    eval(
    base64_decode

    also stuff like:

    visibility: hidden;

    This rendered useless as i could not find a hint of what was happening or where or even what to look for.
    Finally i decided to erase all non essential plugins, which didnt work.
    I changed all my passwords, including DB, users, etc, which didnt fix it either.
    Lastly i decided to overwrite my Theme with a freshly downloaded version from www.remarpro.com
    Done! no more viagra links on my website.

    So finally i could not find the backdoor, or what had happened and how. All i know it was hidden somewhere in the theme folder. Anyone? any clue? Also I am hosted at goDaddy and it seems that some people with shared hosting had same problems.

    In any case, i always keep a backup and DB backup, I fixed it after 10hs of trying stuff, 2 more hours and i would have done complete rollback.

Viewing 6 replies - 1 through 6 (of 6 total)
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Hacked – URL Injection’ is closed to new replies.