BillTheLizard

in this case it was, but given the seemingly relative ease with which hackers gain root access on shared servers, i find this a little scary.

anyway, as i mentioned in my other thread, i don’t normally do much with wordpress other than help modify page templates, and other small display issues. i’m going to recommend to the owner of this site that they get help from someone who has wordpress and wp security as one of their main areas of expertise.

tx for the info.

tx for the links. in reality, i’m more of a local guy. i take care of people’s pcs and small home & business networks. the owner asked me originally to help with getting their wordpress contact form email running again, but i think i am going to turn this over to someone who has more expertise in wordpress.

tx again.

are you saying that if i am an admin on a web server, then i can get into wordpress admin accounts on any wordpress installation running on that machine? or, at least, i can get far enough to change the password for a wordpress admin account?

i don’t quite understand. i know godaddy has access to the server, but if having access to a web server gives someone the ability to log into the wordpress admin account backend without credentials, then anybody who hacks a shared server could get at any wordpress installs on that machine. how can that be acceptable?

tx for the info. i’ll leave it then (that is clean it up first according to codex and then see what security plugins add). it’s just that i’ve seen several other hacked sites where hackers managed to compromise .htaccess, at which point it didn’t provide any protection.

tx for the info. but yes the post_content was partially deleted in about 2/3 of the rows.

database restore isn’t going to happen, because the designers don’t care, and i don’t feel like correcting it to the new server config afterwards; too many other little details that got changed during the move.

repaired them by restoring a good backup to my local server and running wordpress there, opening both admin panels (live and local) and cutting/pasting from one to the other.

argh!!! it’s bad enough when i have to clean up my own mistakes. and not a junior programmer anywhere in site.

tx. already tried ff’s built-in inspector, firebug on ff, and chrome’s built-in inspector. none of them show any differences in the css for the first and following menu display lines, even when i add the extra letter that makes the first link text move to the left.
btw, i wasn’t looking at the code when i wrote the op; there is one more css element, but same question since all the lines of code should have the same css.

#pm_ul{some css}
#pm_li{more css}
#pm_li a{even more css}

all the anchors display text should display the same.

tx for everybody’s help here. i’m closing this question as solved because for the moment, it is. ??

reading it now. ??

Have you checked the rest of the site for back doors?

changed passwords for wp (there is only one admin and no users or other wp logins) and ftp. will be redoing wp auth keys and changing db password, etc. i’ve looked by hand at some of the code for other stuff. ran sucuri and exploit scanner plugins (tried to run looksee, but it goes into a loop when it tries to reload the page when the scan is done). any other plugins or utilities you could recommend to find backdoors?

i don’t really want to rebuild / restore the site because i’m not sure there are valid backups (i’m just picking up after the last webmaster), and this site is under redesign and will be moved to a new host (can’t be too soon imo).

ok, found the script. it had been inserted at the top of functions.php in the thesis17 directory.

new questions are:

where is the best place to report the 2 domains that supply updates to the script? as far as i can tell they are sitting on a server in europe (ip info from ripe’s database).

are there any good plugins for locating obfuscated code? most obfuscation i’ve seen results in a big blog of ‘garbage’ (tho’ i’ve used the extracted code block to unobfuscate itself).

@wpyogi – i will run thru these. but i am wondering if it’s possible to insert this code by some process – outside of wordpress – running on the server. this site is on a shared host from a godaddy reseller. beginning of the year, at&t blocked the entire ip address because of malware – sites on the shared server would load thru timewarner, verizon, etc., but not if the isp was at&t. support from godaddy was less than helpful in resolving the block (or even admitting their server ‘might’ have been hacked).

@shamratdewan – already searched for this stuff, but didn’t find – it’s too easy to obfuscate code. also, no wp code or plugins that weren’t downloaded directly from wordpress.