I don't know if this is even something that y'all discuss here...my apologies if it isn't (or if I've put it in the wrong section).
My friend is has a reseller account with hosting24 (and I'm pretty sure it's a shared host). It's very small...just a handful of sites. He contacted me because one of his sites was not displaying correctly in IE. It was a wordpress theme I had thrown together for him as a favor. He figured it was a CSS issue and was busy so he was hoping I could fix it for him.
I studied the theme files...they were all fine.
But when I viewed source, there is this huge obfuscated javascript inserted at the beginning of the HTML...even before the doctype. Also, when viewing the site's DOM (for example, Google Chrome's "Inspect Element" option), I discovered that there was a mysterious iframe element and that all the elements that should be in the head were in the body.
The iframe contains a site that antivirus software blocks and/or warns about. The domain in the iframe is a known source of malware/spyware.
I eventually figured out that the javascript code had been inserted into the index.php file in the site's root folder. This is a file that one rarely deals with in a wordpress environment.
Then I discovered that, actually, it was inserted into every index.php or index.html file in every site's root folder.
But, if I remove it, it just reappears a few hours later (in all his sites). Suspecting that either my PC or my friend's PC had malware (a keylogger, for example) that watches us enter the password to his cpanel.
So, I advised that we both only access his cpanel while running our PCs from a linux liveCD. This we did, and changed his cpanel password and removed the strange javascript again.
Woke up this morning and the javascript is back.
This, to me, means, the attack is outside of our PCs...possibly on the server itself (perhaps a sql injection?), or some script is monitoring the http traffic from my friend's computer (I rarely interact with his sites).
He asked his hosting company to check the server itself for malware, but their response was that their servers run linux and thus cannot be infected.
Frankly, my next step would be to rent server space with another server, and rebuild each site by copying-n-pasting the content (so that one ended up with brand-new wordpress databases), and delete everything (including databases) off his current host.
But, I was hoping, somewhere out there is someone who has encountered this issue and knows an easier solution...
And I fully understand if this is not an issue this forum deals with...I'll try others, if not.
(I can provide an example link to one of the infected sites if requested to do so...I don't want to appear like I'm linkbuilding...and it's possible that no links are necessary and that only a description of the issue is needed.)
Thanks.
--Will
My friend is has a reseller account with hosting24 (and I'm pretty sure it's a shared host). It's very small...just a handful of sites. He contacted me because one of his sites was not displaying correctly in IE. It was a wordpress theme I had thrown together for him as a favor. He figured it was a CSS issue and was busy so he was hoping I could fix it for him.
I studied the theme files...they were all fine.
But when I viewed source, there is this huge obfuscated javascript inserted at the beginning of the HTML...even before the doctype. Also, when viewing the site's DOM (for example, Google Chrome's "Inspect Element" option), I discovered that there was a mysterious iframe element and that all the elements that should be in the head were in the body.
The iframe contains a site that antivirus software blocks and/or warns about. The domain in the iframe is a known source of malware/spyware.
I eventually figured out that the javascript code had been inserted into the index.php file in the site's root folder. This is a file that one rarely deals with in a wordpress environment.
Then I discovered that, actually, it was inserted into every index.php or index.html file in every site's root folder.
But, if I remove it, it just reappears a few hours later (in all his sites). Suspecting that either my PC or my friend's PC had malware (a keylogger, for example) that watches us enter the password to his cpanel.
So, I advised that we both only access his cpanel while running our PCs from a linux liveCD. This we did, and changed his cpanel password and removed the strange javascript again.
Woke up this morning and the javascript is back.
This, to me, means, the attack is outside of our PCs...possibly on the server itself (perhaps a sql injection?), or some script is monitoring the http traffic from my friend's computer (I rarely interact with his sites).
He asked his hosting company to check the server itself for malware, but their response was that their servers run linux and thus cannot be infected.
Frankly, my next step would be to rent server space with another server, and rebuild each site by copying-n-pasting the content (so that one ended up with brand-new wordpress databases), and delete everything (including databases) off his current host.
But, I was hoping, somewhere out there is someone who has encountered this issue and knows an easier solution...
And I fully understand if this is not an issue this forum deals with...I'll try others, if not.
(I can provide an example link to one of the infected sites if requested to do so...I don't want to appear like I'm linkbuilding...and it's possible that no links are necessary and that only a description of the issue is needed.)
Thanks.
--Will