Possible hacker intrusion on my site

the javascript loads this page:

https://211.152.51.87/beian.htm

Speak Chinese? I dont.

You havent provided enough info for anyone to “help” you beyond that. In other words, if someone tried to use an include to load that, etc..

so thats that, there you go.

what version of wordpress are you using?

I tried searching this “https://218.5.77.71/beian.js” in google. It is definitely dangerous.

I think you may have to clean install your wordpress.

You can safely back up your post, pages and comments. Those are harmless.

Once you get the xml backup file, search for “https://218.5.77.71/beian.js”

Jessica

I’m using the latest 2.2.1, I was thinking on moving to PHP5 should I take this opportunity and do the move on a clean install?

Whooami

What else would you need to help?

MeneL001, BEFORE you start freaking out and taking advice from ppl, especially ppl that have NO post history, you need to determine WHY the link showed up in your stats.

To do so, you need to NOT rely on some third party stats site, and instead, look at your server logs. If you have cpanal available theyre accessible from there.

Its possible, and very likely that it was a simple attempt at an include attack — and thats NOT necessarily something that requires you to reinstall, backup, yadda yadda yadda.

In other words, calm down. Get your server logs. and if you need help figuring them out – send them to me @ whoo AT ( YOU NEED TO REMOVE THIS ) village-idiot.org

Folk really should not turn up here out of left field proposing a reinstall and all sorts of frightening stuff when they haven’t got a clue what they are doing. Good catch – whooami. ??

Thanks to all of you, I will check my logs now and report in about 2 hours.

Thanks again.

Luis

root,

it amazes me ??

https://www.google.com/search?hl=en&q=http%3A%2F%2F218.5.77.71%2Fbeian.js&btnG=Google+Search

do YOU see anything there? I dont either, so how it’s determined to be malicious via THAT google lookup is beyond me..

Granted, IF it was an attempted include, thats not a good thing by any stretch of the imagination.

And it may very well be malicious ..

But.. really.

My guess is that that javascript is probably meant to be some kind of advert. After all, it is designed to open a new browser window, which itself links to a load of other places (none of which I could open at this time, just dead links.)

Possibly mallicious, but not particuarly harmful in and of itself, unless there is more to it.

Not malicious? If this same dope broke into your house and only stood in the foyer singing show tunes that would be ok? No sir, not invited so is malicious no matter what they appear to be doing.

IcelandDream,

Get a little perspective. On the surface, neither the js OR the page it opens is malicious.

Futhermore, we dont even know the context in which it showed up in this individuals logs. It may have simply been a referer, in which case, it nothing more than spam.

Your metaphor regarding someone breaking into your house is way off base, since so far, there is no evidence of any break in.

Furthermore, NO-ONE said it was NOT malicious, until me just NOW – and it isnt. Whats been recommended is looking at the Apache logs. The best advice was already given – so there’s no sense in flaming an uneeded fire.

Ok guys, where exactly do I find the logs?

My hosting company is GoDaddy.

MeneL001,

Do you have cpanel available? I will give you instructions if you do.

Sorry, I dont know what cpanel is. Just let me know what to do.