Thanks. The malicious script is being added to the header.php template script used by WordPress. The injected script is visible immediately after the closing HEAD tag within affected sites.
More about this injected script can be found here.
I had the issue the other day as well. I followed all the steps that I could from the links I’ve seen and it looks like I have it cleaned up. Basically deleted all wordpress files and started anew.
Here is what I found: there was a modification to the header.php file. I don’t know what the mod was, because the very first thing I did was overwrite header.php with my last backup. That took care of the redirect, but I went ahead with the full site delete / rebuild. I was on 2.8.x and it was time to move to 2.9.1 anyway (which I tried a while back but failed because I had problems getting from MySQL 4.0 to 5.0 – another story…)
Anyway, after reinstalling I went through all my users and changed their passwords, as recommended by one of the sites. In doing so, I found that one of the users profile page had script embedded in the email address field, and had administrator privileges. I notice this as I was changing his password and when I went to save the profile, it errored on the email address, and again my antivirus software alerted to a threat.
So I deleted that user account, but now I’m wondering if there was anything left behind as a result of importing this hacked user account into my new platform (?)
use the host’s phpmyadmin to browse the wp_users table – looking for rogue admins and users
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
This is one of the other sites helping you deal with a hacked WP. As noted, I changed ALL user passwords – not sure exactly why it would be necessary for people who only have subscriber level access, but I didn’t want to take any chances. Besides, going through it led me to find the hacked user account with admin privileges.
I guess all the subscribers will come back to find that their password no longer works, and that they’ll need to ask WP for a new one?
Thanks to this piece:
http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
I did some more digging for back doors, and ironically I found two of them in the only files I didn’t delete from the server when I rebuilt my blog – the uploads folder.
Searched uploads for any .php files first, and found both of them. Then I went through them on a file-for-file basis just to assure that there are only jpegs and gifs. Looks like it’s clean.
Be sure to check your uploads folders!
Thanks for the heads up. Deleting the malicious script in the header.php file worked for me.
