Site Hacked AGAIN!

Well if you are using the 2.0 wordpress version, probably the problem is that. You should upgrade to a newer version.

claud925: look at the page source; she’s running 2.9

pinkgarden: are you sure that javascript isn’t in the footer of your theme? Is that a paid-for theme? The license in the style sheet says it can’t be used other than on your domain.

The parse error is a different animal, probably a damaged file.

If it is a hack, it may be coming through shared hosting. Talk to your web host.

Yep, using 2.9 the very latest (at this present moment in time) release.

100% positive that the Javascript isn’t in my theme as I created it myself, it’s not a paid for theme.

The files are not damaged. As I metioned above, everything was from a fresh install. The only time they get corrupted is when the hacker attacks.

I will try contacting my host as it is shared hosting but only I have access to my account.

You will only have access to your account, but scripting attacks can cross accounts. Might consider changing hosts.

I’ve been with them for around 6 months, so it’s a relatively new account that I’m all paid up for until the next 2-3 years (meaning I don’t want to have to pay out for a new host, he he!). But it’s also an old enough account to know that everything has been running with out any problems until now. I will contact them though, to see if anyone else has reported attacks on their hosting.

I have a feeling it’s a plugin that I have recently installed as my problems seemed to start at around the same time as installing it. If I look at my error log, this is the only plugin that is trying to modify stuff right before the site gets hacked.

Having had a good read around the forum posts I can see there are many many people reporting this very same problem. I very much doubt we are all using the same, dodgy/vunerable plugin so does this not indicate that there is indeed a security hole in the main WordPress script?

I have emailed the creators about it but have yet to hear anything back (it was only yesterday that I emailed them)

I have just visited my site again this morning and low and behold, it has the same error:

Parse error: syntax error, unexpected ‘<‘ in /home/pinkgar1/public_html/wp-includes/default-filters.php on line 229

I really would like to know what, if anything, is being done about this major problem? Do I now need to find another platform to run my site from? I love WordPress, this would make me quite sad… (sad, I know!)

pinkgarden, sometimes a virus or trojan can stay hidden from antivirus apps. Try more than one app and if they all say your pc is clean I would look at vulnerability through your ftp or through your shared host as others have suggested.

Also, if you have a clean backup of your WP installation, replace the entire wp-includes folder with the clean wp-includes folder. Then search every single folder on your server for a php shell script. It will have a name that you do not recognize. You can look at the dates of every file to see which file was altered last.

Is there a app /plugin to email you as soon as a file has been added/change/deleted on your server?
Which host are you using BTW.

Is there a app /plugin to email you as soon as a file has been added/change/deleted on your server?

That’s a good idea Matt Walters’s WordPress File Monitor plugin may help identify when something is getting changed.

Hmm I am a victim of this also.

So far here are the files I have found the entries
default-embeds.php
default-filters.php
default-widgets.php

all index.php files

I’m still trying to find where the script is located, in the source code, it is before the topmost -html- tag.

I have had this problem on my blog as well. I took some time to search every file in my wordpress installation.

This script is always appended at the bottom of the file, so it isn’t so hard to find.

Places where I found this script:

index.php
wp-admin/index.php
wp-admin/index-extra.php

wp-content/plugins/commentluv/commentluv.js
wp-content/plugins/commentluv/hoverIntent.js

wp-content/plugins/contact-form-7/admin/wpcf7-admin.js
wp-content/plugins/contact-form-7/contact-form-7.js

wp-content/plugins/index.php

At this point, I realized that all of my plugins were infected, and so I just deleted and replaced them.

Replace all plugins – .js files are infected

wp-admin/js folder – almost every file

wp-content/index.php
wp-content/themes/index.php

any .js files in your themes
any index.php files in your themes

I got tired of looking when I got to the last folder, wp-includes/js. However, the codepress folder had this script everywhere. I replaced the entire wp-includes directory.

It does not affect CSS files.

I’m not sure what it has to do with default-widgets.php and default-filters.php, but I replaced them just to be safe. Before I did this combing through, I found that just replacing these files would bring my blog back. However, the problem persisted. It appears that some sort of trigger happens which causes the error mentioned in the OP’s post, usually around 12 or 1 am EST.

It looks like it has infected both my public_html and my www directories. I am going to search through www now, then wipe the directories and reupload the clean ones, and change my database/login passwords.

edit1: I discovered that my hosting’s cPanel comes with a virus scanner by ClamAV. I tried it and it didn’t find anything.

If you are using shared hosting, then it is extremely likely that being hacked is not a WordPress problem.

Shared hosts, if configured badly, are highly vulnerable to hacking from other accounts on the same server. This is possible because the default configuration is not secure in many cases (if you install Apache + mod_php, then you’re instantly insecure for a shared hosting scenario).

It works like this:
1. Hacker finds a site that has a vulnerability and exploits it.
2. Now hacker has the ability to put code on somebody’s website and run it.
3. Hacker puts a small, simple piece of code on the site. This code searches the whole server, even other people’s accounts, and looks for PHP files.
4. When it finds one that it can access, it inserts its own malicious code into that file.
5. Voila, you’re hacked, and WordPress never got breached.

If you have a website that is frequently getting hacked in the same manner, then this is very likely your problem.

Possible solutions:

1. Make every file and directory you have on there non-writable. chmod 644 all the files and chmod 755 all the directories.

2. Ask your host to secure your server (good luck with that, however if they ask how, tell them to start by using “mod_suphp”).

3. Switch hosts. If you have prepaid long term, then demand a refund as they cannot secure their servers correctly. You’re paying them, this is their problem, and they should be fixing it.

That’s about the best there is for it, really. WordPress 2.9 has no known security holes as of right now. So the odds of you getting breached that way are pretty slim. If you’re on shared hosting, then a cross-account hack is far more likely. Especially when the hack breaks your site in the process. Think about it, if somebody hacked their way into you specifically, then why would they leave your website in a broken state? An automated script trying to auto-hack your site isn’t smart enough to know when it has obviously broken things.

Otto42,

Thanks for the heads up. I am contacting my host and I’ll update this thread with how it goes.

Hi everyone, please check my article about this virus at https://justcoded.com/article/gumblar-family-virus-removal-tool/ . It could be helpful and it contains a script for automatical cleaning up the site.

After some research, i can confirm that it is definitely a form of the Gumblar virus. I cleaned my computer and used this cleaner for my blog, and things are working fine now. https://seoforums.org/site-optimization/118-script-gnu-gpl-try-window-onload-function-var.html