Adam

Got some help and was able to identify the issue. The following code was inserted into several index and footer pages:

[Code moderated as per the Forum Rules. Please use the pastebin]

Once the code was stripped out, everything started working again ??

Strange, my issue doesn’t seem to be related to the timthumb.php vulnerability. I don’t have that plugin anywhere. I’ve cleaned out every unused file, theme, directory at this point as well. Not sure what else to be looking for.

I’m experiencing the same issue with several blogs. I have a few different sites running wordpress, they are all on the same hosting plan, each domain having a separate directory under the www directory on the server. There is an index.html file in the same www directory which was attacked with the same code listed above. As a result, every domain then suffered from the attack. I cut the code out of the index.html file, but I’m still experiencing a problem. Specifically, my RSS feed won’t display. When I run it through the validator, it reads “junk after document element” and then shows the code from above (which I cut out). I looked everywhere else on the server that I could think of, htacess, other index files, plugin folders, themes, but no luck. I’ve tried isolating things as much as I can. I’ve also restored most everything. My host migrated me to a new server. I created a new database. New database password, new ftp password, new cpanel password, new user passwords, new secret keys, new wordpress install, fresh theme install. I’m running out of options. Any advice would be most appreciated! Thanks!