I have upgraded wordpress, upgraded all the plugins, deleted inactive plugins, changed my admin username, installed suPHP on my server & configured my blog to use it and I made some changes to php.ini to restrict scripts from doing things they’re not supposed to…
But the line of code keeps coming back into my index.php… its really affecting my organic search traffic…
Avast anti virus have a mac version. I use avast on my windows machine, and have previously used their mac version. You can use it free for a month I believe.
It may also be that the hackers have left a backdoor script on your server, or it may be a vulnerability in wordpress, or if your on a shared sever, it may not be your site at all that they are using to get in, but are then attacking your site from the compromised site due to insecure file permissions.
You can’t rely on datetime stamps as the hackers are using backdoor shell scripts that provide them with the ability to “touch” the files with a certain date and therefore make all the files the same datetime or to set them to a specific datetime.
You undoubtedly have a backdoor shell script on your site. This gives the hackers remote control of your site without needing any passwords, or leaving any clues in log files other than the access.log which many people don’t look at anyway.
Sorry I can’t be more specific, but those are the most common strings we find in the hacker’s backdoors.
The typical scenario is that the hackers gain access to a website via stolen FTP password, then place various backdoors on the site to provide them with access even after the FTP password has been changed. They also frequently change file and folder permissions to 777 which are another area very few people check - until after they’ve been hacked.
how bout your plugins? the plugin directory is the favorite place to hide files and scripts.
i would get new plugins as well. look through the server in any directory for suspicious files and folders, as these kind of things can embed itself to existing filkes, and disguise itself as images or scripts etc… being on a mac doesnt mean you are secure. there are viruses ,worms and rootkits for mac as well as windows, there are also cross platform viruses and other things to take into consideration.
I would first clean up and have a look at all files and folders on my server, then replace it with new ones, and not a backup with some embedded malicious code - then i would have a look at my puter and clean it up as well.
I’ve been hacking Donncha’s Exploit Scanner plugin recently.
It comes with an array of the Core file hashes, which it can check against to determine if any have changed. If any have changed it then searches them for some of the common “hack strings” (i.e. WeWatch’s list). It also searches the database.
IMHO an excellent strategy, but it doesn’t go far enough for my needs. So my hacks add a CRON, email notification, automatic replacement of the hacked file, inclusion of all blog files in addition to Core files, and checking for extra or missing files.
Once I’m done testing I plan to send it on to Donncha, whether or not he’ll want to use any of it.
But you could try the plugin as it is now. Every step you take to improve security can only help.
Before you update the index.php, take a note of it’s last modified date.
Perhaps you can use this to track an IP address from the servers access log.
Never know - the hacker could be stupid enough to use a direct IP you could track from whois.com
Also, you may want to check your ISP hosting control panel. Change that PW and check to see if there are any scheduled CRON jobs. If they had access to the CP a CRON job could be updating your file CHMODs
Cheerz,
Wil.
PS: Mac’s are just as vurnable to viruses and malware as PCs are. It’s just that PC’s being the dominant % of the market get more attention from the virus writers and media. Check yer Mac just in case.