aeternis
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Media Temple oeaou hackI should clarify (sorry) that the block of javascript you are removing is the injected code. It is fairly obvious, but for the novice admin, it looks something like “<script type=”text/javascript”>var PwJmWsRp7=” followed by a bunch of garbage strings.
Forum: Fixing WordPress
In reply to: Media Temple oeaou hackHey guys,
We encountered a similar problem on Dreamhost sites last night (google immediately blacklisted one of them). While it is not the exact URL, the cleanup process may be the same (we think it is more like the JS222 referenced above)
The symptom for this one is the same – the site will attempt to redirect you to their page. From the admin, this is particularily annoying on the dashboard page, but if you can get to any other link, such as Settings, it will not happen. The script also seems to try executing a download of the php file in the URL you are at.
cleanup:
1. Delete all theme folders and plugins you are not using. Several files in each theme were affected.
2. Change your database password.
3. Update your config.php and re-upload. Change the permissions to 600 (right-click in your FTP client and choose Permissions)
4. Edit your theme’s index.php file to remove the massive block of javascript at the end.
5. Check every other theme folder for an index.php with a lats modified date of more recently than you recall updating your theme. (for us it was 8/18) This will probably be an index.php file in every folder. Delete them.
6. Manually upload the WordPress 3.0.1 update downloaded from this website (do not download from your host or use your host’s auto-update as that may be part of the problem)
7. In your wordpres install, allow it to update your database tables if prompted.
8. Review your plugins. The only ones that should be installed are those verified by www.remarpro.com.
9. Disable any re-direct plugins for now.
10. Create a new admin that does NOT use the ‘admin’ username and then disable the admin user (set the role to none)
11. Install Secure WordPress and Bulletproof Security plugins.
12. Finally, go to https://scan.sucuri.net/ and click on Scanner, then enter your URL to scan it for any remaining issues. If the blacklist page shows you as clean by all the partner sites, you are good to go for now.