I didn’t mention that I found it on header.php on my theme directory.
I also found this code in a client’s header page from a custom theme.
This is what I have found out about “nemonn”
Just removing the obfuscated javascript from the header will not work permanently.
There will be an additional base64 coded file elsewhere (the backdoor)- and possibly more than one. They seem to be located in the core wp-admin directory and are randomly named but seem to follow the update-randomname-randomname.php taxonomy.
Just updating / reinstalling WordPress from the admin won’t remove this file.
Additionally you should follow guidance given elsewhere for changing ALL passwords (FTP, database and WordPress admins) and follow instructions for Hardening WordPress.
I also just found this script in two WP instalations that both used the same Template. The Header file in each was hacked with the nemonn code.
Now removed from the header. All passwords noe changed and looking at Hardening.
I found a base64 code, under the name update-frazer-importance.php, under /wp-admin/includes
Antivirus detected the file as PHP/Kryptik.AB trojan.
I understand now the reason why I did not find it on Twenty-Eleven themes – since I updated those themes regularly, the infected header.php was probably replaced in the new version.
My sites were hacked again in the same way… Now a new form, with a changing class (not necessarily “nemonn”). Spammy code block now start with:
<script language="JavaScript">function xtrackPageview
followed by regex and then a spammy link.
Again, only custom themes’ header.php was hacked, not TwentyEleven themes.
First time after my sites were hacked I moved to secure FTP connection. That wasn’t the reason apparently, now I am taking extra security measures. We’ll see.
Thank you for the links, didn’t know all of them.
Unfortunately I have no possibility of changing the theme. I have to keep trying, and eventually contact theme creator, but this is only after I checked my own server. Perhaps it is Godaddy shared hosting that creating the vulnerability.
I am still curious how come only non-wp themes were hacked, though.
From what we have seen here, yes, GoDaddy servers have been hacked recently. You should check with them if you have further questions about your site. Those themes were likely not coded correctly or perhaps are using insecure plugins — which is why we recommend only using themes that meet WP standards and always update your WP, themes and plugins as soon as possible.
If it is, in fact, your theme that has a security issue, you might rethink using it:
http://www.chipbennett.net/2010/12/10/only-download-wordpress-themes-from-trusted-sources/
Same here. Using WP version 3.5.1 with the a custom theme (from a trusted source) on Godaddy.
Installed Plugins include… (not saying any of these are at fault)
AdRotate
Akismet
Easy Contact
Hello Dolly
Jetpack by WordPress.com
W3 Total Cache
Widget Logic
WordPress Importer
WP-PageNavi
Yoast Breadcrumbs
Aside from the modified header.php file, the one suspicious file I found is named wp-comments-get.php in the base directory. It’s 871 bytes and has mostly lines of code that look like this…
[Spam code removed – please do not post that here]
To start with, I plan on clening the spammy stuff from the header.php file and deleting the file named wp-comments-get.php. Then, I suppose I’ll delete most of those plug-ins and keep a sharp eye out for any re-ocurrences.
I have several WP installs on my GoDaddy shared hosting have been having this issue for a few months now. I am using themes that I generate with Artisteer.
Always in the theme header (or a simular hack always in the theme functions.php) file. Never in the twenty-whatever themes.
The really strange thing to me is that the header.php (or functions.php) file timestamp of when it was last changed doesn’t change… the hacked code just appears in the file… I don’t understand this.
Is this a GoDaddy issue? One of the plug-ins? Artisteer themes?
Thoughts?
Steve
@steveax: As per the Forum Welcome, please post your own topic. Posting in an existing topic prevents us from being able to track issues by topic. Added to which, your problem – despite any similarity in symptoms – is likely to be completely different.
