Theme hacked via contact form 8?
Just now, when I viewed my front page with the Chrome browser, there were hundreds of porn site URLs under the footer area! These did not appear in Firefox or Safari. When I looked at the source code, there was a jquery that seemed to have come in via the Contact Form 8 plugin. I let the hosting co. know. They said they this:
Quote:
NOTE: The support guys removed the base64 code for me, so that's why I didn't see it. I still don't know why this happened. |
Good advertisement for TAC I think http://wordpress.org/extend/plugins/tac/
I just tried scanning with Wordpress Exploit Scanner http://wordpress.org/extend/plugins/exploit-scanner/ but it did not pick up added stuff in footer.php. Actually have no idea what it look for, "signs that may indicate that your website has been compromised by hackers" is what users are told - but probably another way to secure/test site. |
Sounds like a typical iframe injection.
login via ssh2 and from the wp-content directory run: find . -type f | xargs grep -i "str_rot13" and find . -type f | xargs grep -i "base64_decode" That should list your infected files. Replace the infected ones with clean copies. Then change all your passwords including FTP, CPanel, wp-admin logins, etc.., and make sure you use a tick harder combination. Then go back and make sure you have the proper file permissions.. I have 0644 on nearly everything except directories which I run at 0755. For the record I kept Contact Form 7. ;) |
All times are GMT -6. The time now is 08:11 AM. |
Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.