OneClick Wordpress blog Hacked

All the pages served by one of my oneClick wordpress blogs have a element prefixed to them. Including the RSS feeds. The script is compressed and obfuscated but is clearly targetting MSIE. Most browsers ignore still render the pages with the element there.

Anybody else seeing this infection?

I’ve opened a ticket, but since its not in any of the things I can edit I suspect the problem maybe more widespread. And yes, wordpress thinks it’s up to date.

For example:

Well, all OneClick does is do the leg work of installing it and nothing more. You can still edit all the files as you see fit.

I have also looked through the generated code and could not find it. It is possible that one of the external resources is malformed.

Where in the generated code is the script tag?

Thank you.

I’d so deeply internalized “Don’t mess with the one click install or your break automatic upgradding.” that I’d forgotten that I could see the installed files.

The hack was added to the front of the wp-setup.php; so I’ve removed it.

Of course I have no idea what else may have been damaged or how this damage was done… hm…

If you don’t know if anything else has been modified, I’d clean & reinstall your WP instillation just to be safe.

And of course do the standard Password Changes :slight_smile:

I’m slightly comforted that the checksums on all the other PHP files matches the 2.9.1 distribution. More details here:

My wordpress blog was also hacked. This fix doesn’t seem to be the solution for me. Will have to keep looking.

There is more info about this here If you are hacked the way I was you need to search for the script mentioned there.

> This fix doesn’t seem to be the solution for me.

Which version of WP are you running?

Is it a One-Click Easy, Advanced, or a custom installation?

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost

I just updated it to the latest version of WP 2.9.2

It’s is oneclick advanced

It forwards to another site when I load the site. Its a different site every time I load it.


Well I found where the malicious code was at. I tried turning off all my plugins, no change. Then I changed my theme, and then it worked fine. I looked through the modification dates within my theme directory and found the header.php file had been modified within the last month. Down close to the bottom this line was found:

document.write(unescape('<sc......... there are several more lines of unreadable stuff that followed. I just deleted everything within the script tag and it works fine now. So, now I have to figure out how that file got changed. Don't want it to happen again. Not quite sure how to find that out. Jason

For starters, look at the timestamp on the modified file. Then look back through your HTTP logs for what was happening at that time.

Here’s a wiki article with some other suggestions: