cjchamberland

First thing you need to do is FTP into your hosting account, check your main index.php, at the top will be a line of code that looks like

<?php base64....

Remove that. Also check the index.php and header.php of each of your theme directories, it’s probably in there as well.

Once you’ve cleaned it out, you need to locate the backdoor that allowed them to inject the code in your site, usually they hide this somewhere in your images, uploads or plugins directory. You also will need to upgrade wordpress to the latest version if you haven’t already and change all your passwords.

First, you may want to look at your wp-config file on line 46:

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/u875828115/public_html/wp-config.php on line 46

That is what is causing the error. It may be due to a potential attack, or it could just be a simple error.

Looks like you have a conditional redirect going on in your site. It tries to redirect to installmentultraddev.ru, you need to use either FTP or SSH to get to the files on your server and take a look at your .htaccess file, it appears that it may be compromised.

The code is still being injected in your site, there is an iframe within this div tag: < div class=”z9dxj7s7wd”>….< /div>

Since you aren’t able to locate the backdoor, have you considered completely wiping your server and installing a new clean wordpress install? In a case like this where you aren’t able to locate the problem, that would be your best solution.

I would recommend wiping the file, then setting the permissions to 444 so that it’s read only until you can locate what is allowing attackers to modify the file.

I had a client with the same issue, this is what I did for a temporary workaround (I don’t really recommend this but if you have to, you have to). It doesn’t appear that the ovid theme has an update that’s compatible with 3.4.1, so in the wp-admin directory, in the “media-upload.php” file, locate the following lines (65,66) and comment them out like below:

//if ( isset( $_REQUEST['post_id'] ) )
// wp_die( __( 'Cheatin’ uh?' ) );

Once I did that, his gallery started working again. Note, this is a wordpress file and if you modify it and upgrade, your changes will be lost.

Your going to have to have FTP or SSH access to the site in order to fix the issue. Below are some steps you can take:

1) First, do you have a “clean” back-up of your site, if so, just restore it from that.

2) If #1 doesn’t apply, do the following, check all .htaccess files, index.php files and any include files or theme files you may be using.
3) Also, check above your web directory (usually above public_html, httpdocs, html, etc) for an .htaccess file that will override anything in your web directory.

4) Remove any code that you find in your “legitimate” files that matches any of the following (Note – this isn’t an all exhaustive list, it’s the most common issues I’ve seen):
a. “eval(base64_decode(…..”
b. “edoced_46esab…”
c. “getMama…”
d. “115,99,114,105,112,116….”
e. “document.write(‘<iframe…..”

5) Look for any php files in any image, css, upload, download, etc directories that would not normally have a php file in them. Check the file contents for base64 strings and thing that point to it being a php shell such as “FilesMan”, “c999sh”. If you find files like this, DELETE THEM.

6) Once you’ve cleaned your site – UPGRADE it if you are not running the latest version to remove any possible publicly available vulnerabilities.

7) Also I would recommend checking permissions; files should be at 644 and directories at 755 (this depends on your hosting company/server – this is the most common setting). Change your cPanel and FTP passwords.

8) Once you have completed all those steps, go to https://www.google.com/webmasters and if you don’t already have an account create one (Obviously if you have one – skip this step).

9) Once you’ve created your account, add your site, then on the left hand side, click on “Health”, “Malware” . If they have you flagged, and you have cleaned your site, submit it for re-evaluation. This usually will take between 48-72 hours before you are cleared.

Hope this helps

It could be one of the following:

1) You have a backdoor that was installed by an attacker on your site that will allow them to modify the file at anytime. Usually a PHP shell script. Sucuri does not locate these.

2) Your FTP account(s) have been compromised. Change all passwords to all FTP accounts and your cpanel account. Sucuri can’t detect this.

3) No file? Still problem after you change passwords? Talk to your hosting company – they have a server wide issue.

This hack is easy to bypass any type of automated system because they typically look for encoded strings, and this isn’t.

That’s because the permissions on it are probably set to read-only so you can’t just delete it. Try reseting the permissions to read/write (644 typically) through your FTP client (if it will allow it) then try deleteing the file again.

You need to remove all the “/**/ eval(base64_decode(etc.” code from your pages, this is malicous. Just be careful that you don’t accidently remove something you shouldn’t, simetimes they mix it in with your code just to make it difficult to remove.

You also need to look for any php files in any image, css, upload, download, etc directories that would not normally have a php file in them. Check the file contents for base64 strings and thing that point to it being a php shell such as “FilesMan”, “c999sh”. If you find files like this, DELETE THEM.

1) First, do you have a “clean” back-up of your site, if so, just restore it from that.

2) If #1 doesn’t apply, do the following, check all .htaccess files, index.php files and any include files or theme files you may be using.

3) Remove any code that you find in your “legitimate” files that matches any of the following (Note – this isn’t an all exhaustive list, it’s the most common issues I’ve seen):
a. “eval(base64_decode(…..”
b. “edoced_46esab…”
c. “getMama…”
d. “115,99,114,105,112,116….”
e. “document.write(‘<iframe…..”

4) Look for any php files in any image, css, upload, download, etc directories that would not normally have a php file in them. Check the file contents for base64 strings and thing that point to it being a php shell such as “FilesMan”, “c999sh”. If you find files like this, DELETE THEM.

5) Once you’ve cleaned your site – UPGRADE it if you are not running the latest version to remove any possible publicly available vulnerabilities.

6) Also I would recommend checking permissions; files should be at 644 and directories at 755 (this depends on your hosting company/server – this is the most common setting).

7) Once you have completed all those steps, go to https://www.google.com/webmasters and if you don’t already have an account create one (Obviously if you have one – skip this step).

8) Once you’ve created your account, add your site, then on the left hand side, click on “Health”, “Malware” . If they have you flagged, and you have cleaned your site, submit it for re-evaluation. This usually will take between 48-72 hours before you are cleared.

Hope this helps!

1) First, do you have a “clean” back-up of your site, if so, just restore it from that.

2) If #1 doesn’t apply, do the following, check all .htaccess files, index.php files and any include files or theme files you may be using.
3) Remove any code that you find in your “legitimate” files that matches any of the following (Note – this isn’t an all exhaustive list, it’s the most common issues I’ve seen):
a. “eval(base64_decode(…..”
b. “edoced_46esab…”
c. “getMama…”
d. “115,99,114,105,112,116….”
e. “document.write(‘<iframe…..”

4) Look for any php files in any image, css, upload, download, etc directories that would not normally have a php file in them. Check the file contents for base64 strings and thing that point to it being a php shell such as “FilesMan”, “c999sh”. If you find files like this, DELETE THEM.

5) Once you’ve cleaned your site – UPGRADE it if you are not running the latest version to remove any possible publicly available vulnerabilities.

Hope this helps

@esmi – sorry I was just responding to his questions. Didn’t mean to overstep any boundries.

Krishna – YOU can check any base64 code you find yourself before posting on the forums that it’s “malicous”. It is used regularly to hide malicous code but it DOES server other purposes, such as in her case where its being used to compress images to make the site load faster.

I don’t recommend it being used, but some developers like to hide their code, which is fine, but don’t automatically scream malcious code. Check it out yourself first, there are plenty of tools to do that and you can do it yourself with php if you know what your doing. Most of these people don’t even understand what you are saying so all you do is cause confusion and panic.

She was having a problem locating where to set-up her menu, not any issues with security, viruses or malware.

That is totally legit. Her site is fine. You really need to be careful about what you say is “malicous”. If you don’t know what it is your looking at your better off not saying anything rather than upsetting and scaring people.