I think it’s reasonable to assume that your site has been compromised. It’s time to have a careful read through this post:
http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked
Beaten to it above
Well thanks for the responses, was hoping for more than a standard boiler plate response as I have see this reply to almost every other question of this nature. In my personal case there really doesn’t seem to be a whole lot wrong with my site,ie (no redirecting, changes in appearance, etc) just the fact that I have this spam at the top of some of my posts. I know people don’t owe me a thing as far as free help on here, just hoping someone could offer a little help based on my individual site as opposed to lumping it in with every other hack, spam, problem on here.
Thanks
have see this reply to almost every other question of this nature
I didn’t realise that we had so many reports of hacked sites here. But the reason the same list of links is given is that they represent the best sets of instructions for thoroughly de-lousing your site.
I understand that, like I said im not complaining, its just I could go through hours and hours of reading and changing and following all those links and then find out down the road that it was possibly as simple as X.
No worries,
And update your passwords immediately. Use stronger passwords. Don’t share them with people or save them in browsers.
This shows how taking basic security measures can go a long way to saving headaches and possibly saving your business.
Are you running the Genesis theme or sub-theme? Check themes/Genesis/functions.php — open in your code editor.
I found some code (looked like it was base-64 encoded) inserted before the normal-looking code. The fact that it had 2 sets of PHP tags tipped me off.
Comment out or remove that first function that starts like this:
$wp_function_initialize = create_function('$a',strrev(';)a$(lave'));
If you don’t have Genesis, check your other themes. I’ve also read online that the code is sometimes in the header.php file, but not in my case.
I had similar code as kmitz pointed out in my functions.php at the very top.
It looked like this:
<?php $wp_function_initialize = create_function(‘$a’,strrev(‘;)a$(lave’)); $wp_function_initialize(strrev(‘;))”==gC7kiIwhGcf52 (some gibberish code) ?>
I removed the whole code block from <?php to ?>, that fixed my problem.
In case you are curious to decode any of the encrypted code, you can go to http://sucuri.net/ and get it decoded. In my case when I decoded I saw this code:
http://ddecode.com/phpdecoder/?results=d08102e24b67416ef67bc29b56d08a31
Hope this helps.
