Nihad Nagi

Nice website.
OK, its getting narrower, one of the remaining possibilities are AJAX handlers, and their back door is “.htaccess” vulnerability, so to make a decision on this, refer to the code and rewrite rules below, IT SHOULD SOMEWHERE be in your .htacess file, if not then this is the back door and we will be checking all AJAX handlers.

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

BEGIN WordPress

We need to do the following:

1-Could you please send me a link to any of your published posts with images.
2- There is a common plugin or theme ,we need to reach out for, so kindly, list your activated plugins list, and we will shorten the list to commonly used plugins, by cross-matching.

no i meant 4000 lines, check out if there is empty space (many lines)after it.

I am asking about the folder permissions for the following:

wp-includes
wp-includes/images
wp-includes/js
and all sub-directories

wp-content
wp-content/plugins

Additionally, confirm that you have timthumb.php.If you are not sure, go to any webpage with images being re-sized and so on, and view the page source is there ‘?timthumb.php’ somewhere in the image links, still if you are not sure about it, send me a link to any of your pages.

Please RS, if you have the defender logs, tell me what was the name of the first file changed.

Am extremely sorry for asking you this, but proper troubleshooting requires it, before making any decisions.Closing it will be beneficiary to all.
Regards.

Please can you tell me, whether the same file names are replicated everytime and tell me about your security permissions for wp-includes and wp-admin

Check out the wp-config.php file at the root installation of your wordpress, navigate to the end of the settings, check out the last line and see if there are many white lines afterward, if you did, then go and check the rest till the end, you will find some strange code being appended, and you will have around 4k lines in this file, check it out and get back to me.

Have you fixed it?, cause your website is working well

try using CFT “save” first prior to saving or updating the page

Everything is possible my friend, I don’t understand exactly what you mean, but if the case is that your are using two embedded shortcodes in your post, like [next[cft]] it will not, try using php function call to nextgen and call the cft shortcode afterward

If you are referring to the place, where you have placed your custom fields, then there are two possibilities:
1- the “Custom Fields Section” isn’t loaded, check for a section called “Custom Fields” that is minimized and often overlooked, and you will find an “initialize” button that you must click to initialize all your fields.
2- Custom Fields section is not checked to be shown, click the “Screen Options” on the top right of the screen and make sure “Custom Field Template” is checked.
Otherwise, explain briefly your problem

Hi Waretz, have you fixed the embedding issue or still need help.?

TO URBAN WHO LOST EVERYTHING & EVERYONE ELSE,DON’T WORRY,CALM DOWN.

Before helping you out, I have one question:

Did you access the phpmyadmin via your cpanel, if not, don’t you worry.

If anyone has the same problem as URBAN, my email is [email protected], i will stay online, cause this must be handled one by one, i will be happy to help anyone here, cause i know how it feels, when a blog is gone like dust in the wind.

SORRY FOR THE LINE,MY POST REPOSTED FOR ERIC & EVERYONE

I am truly happy it worked for you Eric, but let me note something about this issue for everyone, the question is how did anyone got access to any plug-in code in the first place?, and change any js libraries?, via this security hole!!!, whatever changes that might work today, they can manipulate them again tomorrow. R u ready for that?
This is specially for Eric, you are right about the update to take place, to do it INSTANTLY, you can either:
1)
search the help center for the term “malware” and choose the result named “Request a malware review of your site “, or follow this link directly:

https://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=163633

a pop-up window named “Request a malware review of your site” will appear, and you will find this text:

Once you’re sure your site is free from any infected code and content
, you can request a malware review. (CLICK ON THE LINK IN THE ABOVE TEXT IN A NEW TAB, and then click the second process), and then click on the link “reconsideration request”, and then recheck instantly you are done.

OR
2)resubmit the whole url (you have 10 re-submissions/month)

But the first will do, cause it did for me, and was all gone in seconds.

That will do Eric, glad it worked for you and everybody in this forum no matter what changes was done today, the hole via this config file will remain open, good-luck everyone. Thank you Eric.

I am truly happy it worked for you Eric, but let me note something about this issue, the question is how did anyone got access to any plug-in code in the first place?, and change any js libraries?, via this security hole!!!, whatever changes that might work today, they can manipulate This is specially for Eric, you are right about the update to take place, to do it INSTANTLY, you can either:
1)
search the help center for the term “malware” and choose the result named “Request a malware review of your site “, or follow this link directly:

https://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=163633

a pop-up window named “Request a malware review of your site” will appear, and you will find this text:

Once you’re sure your site is free from any infected code and content, you can request a malware review. (CLICK ON THE LINK IN THE ABOVE TEXT IN A NEW TAB, and then click the second process), and then click on the link “reconsideration request”, and then recheck instantly you are done.

OR
2)resubmit the whole url (you have 10 re-submissions/month)

But the first will do, cause it did for me, and was all gone in seconds.

That will do Eric, glad it worked for you and everybody in this forum no matter what changes was done today, the hole via this config file will remain open, good-luck everyone. Thank you Eric.

Whatever,BUT NOT AROUND 5000 lines of settings, you will still find a strange code injected after more than 3000 empty lines,right?,its not the time for nit-picking, i just hope you get the idea, and it will work, which is much better than seeing that most of the people here has lost the time, and, CONTENT, and it will re-happen,right?, and above all nothing was fixed, I just wrote and i hope it works for even one person in this forum, Thanks Everyone