On Apr 22, 2010, at 6:14 PM, Miserere wrote: > Yeah, still not fixed. I'm giving up for now; I've spent 6 straight > hours trying to figure this out and can't find that last damn script. > I've left a message on the WP forum and hopefully someone will have > replied by tomorrow.
I've had to repair hacked sites for customers at work on a few occasions. The hard news is this: deleting EVERYTHING is the only way to be 100% sure. Everything, including the database. Nuke it from orbit then restore from backup. I hope you have a good backup, but I suspect the 6 hours you've spent so far is a horrible lesson as to why you should have one. As for how they got in (which would be helpful to know if you plan to prevent a recurrence), it could be any of: - Wordpress core - The theme - Any one of the plugins you've installed There are more potential places but those are by far the most likely. Most hacking is automated so it's likely that a dodgy bit of javascript or php code has been simply appended into one or more template files. Bear in mind it could be anything that puts content on the page which includes things like sidebar plugins so switching these off may help you isolate the problem. Maybe try switching to a different template; if the problem goes away then you could delete and reinstall your normal one. When you delete it make damn well sure its entire folder is gone before you reinstall. Last year I saw an old (out of date) Joomla site get hacked via an SQL-injection hole in one of its extensions. The hacker had found the site using an inurl: search in Google, looking for that particular extension which was an events calendar, I think (another good reason to switch on search-engine-friendly URLs). The popular CMS teams tend to be pretty good at keeping on top of security but the same can't be said for some of the third-party developers, nor webmasters who don't always keep their sites up to date due to a lack of time, motivation, knowledge or budget. We actually managed to clean that site up without too much trouble but only because we have shell access to the server so once we knew what to look for we could run a bunch of searches to find affected files. Restoring from backup was out of the question in that case due to the historical hackage. After that we upgraded the core CMS. Any extension we couldn't upgrade or find modern replacements for, we removed. Cheers, Dave -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.