Title: Malware inserted into index.php
Last modified: August 20, 2016

---

# Malware inserted into index.php

 *  [dionsis](https://wordpress.org/support/users/dionsis/)
 * (@dionsis)
 * [15 years ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/)
 * Hey
 * I just got a malware warning on my site from chrome saying my site contains content
   from
 * 1omivepa429.cz.cc
 * I have seen no google entries on this particular spamware so didn’t know what
   to do.
 * Upon scaning my entire base directory for anything resembling that I found nothing.
   I then got the hosting company involved who found a
 * base64_decode at the top of my index.php
 * I compared it with the latest index.php and indeed it’s not meant to be there.
   removing it ceased the malware issue.
 * My question now is, does 3.1.3 have a hole in it and can we be continually exploited

Viewing 15 replies - 1 through 15 (of 15 total)

 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [15 years ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113514)
 * There are no known security issues in 3.1.3. The hacker could have entered from
   anywhere on the server.
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 *  Thread Starter [dionsis](https://wordpress.org/support/users/dionsis/)
 * (@dionsis)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113769)
 * I cleaned my install, removed the base64_encode from all affected files and re-
   uploaded all the files from a 3.1.3 install. all plugins at latest version.
 * Ensured everywhere on the server was patched, upgraded to the latest version,
   queried the WP_POSTS table for some classic example from the above posts.
 * The malware got in again to my index.php again today. I’ve read through all those
   posts and can’t think of anything I have to do more. what else can I do to shore
   it up other than think there is a hole somewhere.
 *  Thread Starter [dionsis](https://wordpress.org/support/users/dionsis/)
 * (@dionsis)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113775)
 * I just thought I’d add
 * despite all suggestions, malware scans, changing FTP passwords, upgrading server
   files to the latest versions, re-doing all permissions on every file 644 files
   755 folders and 750 wp-config
 * It is STILL somehow getting in, seems to only be rewriting the index.php adding
   it’s base64_decode line
 * I have written a shell script which once a minute checks the index file for the
   base64 addition and copies in a clean file in place of the broken one.
 * This is a bit of an over the top temporary solution. It’s allowing the site to
   continue between infections but really need to close out this hole
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113776)
 * Have you spoken to your hosts? The back door could be somewhere else on the server.
 *  Thread Starter [dionsis](https://wordpress.org/support/users/dionsis/)
 * (@dionsis)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113777)
 * Yeah everything is patched to the highest available level.
 * They suggested I implement an Firewall on the server which I may do though don’t
   see it’s relevance.
 * If you have any tips on tracking changes so I can source the way it’s getting
   in I’d love any suggestions
 * All the supplied links have been followed and implemented. Database has been 
   checked for iframes etc base64_decode etc.
    I have scanned my entire server with
   ClamAV, clean as a whistle done greps across all public web files for base64_decode
   to find any more compromised files, so far it’s just index.php
 * FTP passwords have been changed, Admin accounts on WP have had passwords changed.
   all files in the public_html folders are 644, all folders 755.
 * Trying to think of more to attempt as I’d like to close this up as quickly as
   possible
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113778)
 * Have you reviewed [Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)?
   That said, if this hacker is getting in via the server, there’s only a limited
   amount you can do within WP itself. 🙁
 *  Thread Starter [dionsis](https://wordpress.org/support/users/dionsis/)
 * (@dionsis)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113779)
 * Yeah I saw that one while googling around about the issue.
 * I’ve done pretty much everything in it, somehow it’s still getting in, I’m going
   nuts trying to find and close this hole
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [14 years, 11 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113781)
 * The only thing I can suggest is re-reading [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
   in case you have something like a backdoor masquerading as an image file.
 *  [Roland Millward](https://wordpress.org/support/users/rolandmillward/)
 * (@rolandmillward)
 * [14 years, 10 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113823)
 * I am having exactly the same problem. It gets into any index.php file and uses
   a .tv web address with various names in front after wiping it manually from each
   file when it comes back.
 * It does not only get into WordPress but any website that I have hosted.
 * There is a very small pixel in top left corner of web browser when site is infected.
 * I have tried uploading using another PC as it seems to be the PC that gets infected(
   in this case a MAC!) I have changed passwords and FTP password several times 
   but still have the problem!
 *  [wpsecuritylock](https://wordpress.org/support/users/wpsecuritylock/)
 * (@wpsecuritylock)
 * [14 years, 10 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113824)
 * Have you checked your server for any mystery files? By that I mean a file that
   does not come with WordPress core, plugins or your theme.
 * There could be a trigger file hidden in a folder somewhere that you missed.
 * Sometimes the hack files are named something you may miss, like wp-pages.php,
   which is not part of WordPress.
 * Log-in with Filezilla and check the last modified dates after you re-upload your
   files and search for any modified previously.
 * And clean up your server by getting rid of any obsolete WordPress files. You 
   should only have what’s current on your server.
 * Hope that helps.
 *  [Roland Millward](https://wordpress.org/support/users/rolandmillward/)
 * (@rolandmillward)
 * [14 years, 10 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113825)
 * I can’t see any that stand as obvious to me, but then I wouldn’t call myself 
   an expert in this.
 * When I delete the malware code I leave the Index page as this <?/**
 * If I do anything else the websites wont work. Is there any code I can add in 
   that would prevent the malware from being re-inserted?
 * Thanks for your help.
 *  [wpsecuritylock](https://wordpress.org/support/users/wpsecuritylock/)
 * (@wpsecuritylock)
 * [14 years, 10 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113826)
 * Hi Roland,
 * Your index.php files should be the same as what comes with WordPress. Re-install
   all your core files, and get fresh copies of all your plugins. Check your theme
   and uploads folders too.
 * Either there’s a hole on the server, trigger file(s), or your database is infected.
   Unfortunately, until you find out what’s causing it, it will return.
 * Check your Skype.
 *  [Roland Millward](https://wordpress.org/support/users/rolandmillward/)
 * (@rolandmillward)
 * [14 years, 10 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113827)
 * Thank you. I will give this a try.
 *  [crz](https://wordpress.org/support/users/crz/)
 * (@crz)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113838)
 * For those of you that are getting the main index.php file infected over and over
   again, try looking in wp-content folder or in wp-content/uploads folder for other.
   php files than the simple index.php (these index.php files are used to hide the
   contents of the folders when someone tries to access yoursite.com/wp-content/
   uploads/ folder in the browser.
 * I found a doc.php file and on another site a lib.php file that was the guilty
   bastard. As soon as i removed that the main index.php from the root of the wordpress
   installation folder stopped getting infected again.
 * After removing that file you should also change passwords (ftp/mysql/ wordpress
   admin).
 * Hope that helps you.
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [14 years, 9 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113839)
 * [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘Malware inserted into index.php’ is closed to new replies.

## Tags

 * [exploit](https://wordpress.org/support/topic-tag/exploit/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 15 replies
 * 5 participants
 * Last reply from: [esmi](https://wordpress.org/support/users/esmi/)
 * Last activity: [14 years, 9 months ago](https://wordpress.org/support/topic/malware-inserted-into-indexphp/#post-2113839)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics