My site hacked?

Question

Possible Duplicate:
My server's been hacked EMERGENCY

I just discovered that my site has, I believe, been hacked. Along with a couple of other sites on my host. If you go to the bottom of the site you'll see an iframe. I don't know what that is, it shouldn't be there.

I deleted all the code from my site and it's still there.

I checked htaccess thinking maybe someone added auto_append. Nothing.

Any clue as to how else something can be added to the bottom of my site?

I'm currently downloading some log files to look through.

Answer 1

First thing to do is alert your hosting company. They will be able to look at logs you don't have access to.

Secondly: I see your using Wordpress. You need to:
-Check and see if Wordpress is up2date
-Check and make sure that all of your Wordpress Plugins are also up2date

If any of the above are not up2date, you need to check and see if the version you are running has a known vulnerability. (Check the software's site, etc)

Start going through your webroot to find any out of place files. Make sure to look in temp dirs also.

If it is found to be a bad hack, you will want to restore from a known good backup.

This should get you started in the right direction.

**Edit: Please Ignore / Thumb Down XTZ's answer. It is reactionary and dangerous, not to mention inaccurate.

Answer 2

If they were able to edit php.ini, I believe they could add a footer to every PHP page (which obviously, you wouldn't see in your own code). Make a test.php file and see if it still happens.

Answer 3

I went to the site in question, it tried to install a trojan like:

http://www.martinsecurity.net/2008/09/04/analyzing-a-malicious-pdf-trojpdfjs-a/

Loading a malicious PDF file with JavaScript. Viewing the code, it also looks very similar. Probably should be avoided unless you've locked down your computer. As for solutions, I think contacting your hosting company, as Anapologetos said, would be the essential first step.

Answer 4

Answering these questions should help you find the solution.

• Is there a proxy between you and the server?
• Have you ruled out browser plugins adding something?
• Have you ruled out malware on your workstation?
• Have you tried retrieving the page with telnet/netcat instead of using a browser?
• Is this a server you maintain? You mention other sites, do they also have this problem?
• What is the contents of the iframe?

Answer 5

What is that JavaScript code in your page source after the closing HTML tag?

Also I would get the extenstion that hides your WordPress version from the page source since it shows it as a meta tag (<meta name="generator" content="WordPress 2.7.1" />), for example, I can see you're running "WordPress 2.7.1" (which is the current version :claps:) but once a expoilt for that is found people will be able to search for it.

Also check the other files that your WordPress installation uses. I know that it can inculde and require (won't show up in page source since they are PHP based) from other files and I know that extenstions/themes can also do so make sure those are up to date.

Also check to see what extensions and themes are installed/enabled and get rid of any you don't know.

Answer 6

Aren't WordPress pages, like those of most CMSes, generated from a database?

If so, here's the dirty little secret of open-source CMSes, PHP, and shared web hosting: on many shared hosting servers, everyone's PHP scripts run with the same privileges (i.e. with the UID and GID of the Apache daemon).

This means that, if PHP can read your scripts, it can read the scripts of every other customer on the server. And vice versa.

But, many open-source CMSes store high-privilege database credentials in their PHP scripts. Drupal does this; Joomla does this; I haven't looked at the WordPress source but I'd be surprised if it didn't do this.

In short: It's extremely likely that fully-privileged access to your WordPress database is within trivial reach of every other user who shares the server with you.

I sort of hate to write that in bold but I feel like I've been banging my head against a wall with this issue for a few months now, during which time I've run into two, possibly three apparently-reputable hosting companies that use this setup, and just can't be bothered by the enormous security problem it presents.