Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Frequent malicious scripts injected into page source

SQL Injection? - Wordpress 2.5

7:16 am on Sep 7, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:July 11, 2005
posts: 112
votes: 0

I have a site that has been hacked a few times recently. In fact, one other site I had got hacked just as I was selling it - and that one was primarily HTML.

Anyway, I've no idea how they are doing it. The malicious script entry isn't showing up in the comments section, it's getting added to the actual page source - meaning that I have to actually FTP in to my server and manually remove the link from the template's source to fix the problem.

This happened once recently after I approved some comments, but has since happened after I've approved nothing. The other site that was hacked had a script injected into a straight HTML page.

SQL injection seems the most likely culprit, but because of the plain vanilla HTML page on the other site being affected as well I sort of doubt it.

Anybody else experience anything like this? I've had my site clean for a while and hopefully it doesn't happen again going forward as I contacted the hosting's owner and he apparently hardened the system a bit but I'd still like to know how this is happening.

When hacked my site gets listed as an "attack site" in Google's search results and Firefox (3 at least) displays a warning page before allowing you to access it. This crushes my traffic as most of it comes from The Goog. I actually appreciate this as it prevents people from getting infected and lets me know that I've been had again, but as stated above, my traffic goes right into the #*$!ter until I can clean and Google re-indexes.

Any and all help is appreciated.



6:43 am on Sept 8, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Aug 7, 2007
votes: 0

I'm not an expert on the subject, but it sounds to me that someone has gained access to your server.

Do you have the same hosting provider for both attacked pages? If so, it is quite possible that they had (maybe still have) a crack in their defenses.

Or maybe someone has acquired your passwords to the system. I'd change all my passwords, just to be on the safe side.

These are the two main reasons I could think of right now.

<edit>I noted after posting that you mentioned WordPress in your headline. I'm not sure how that system works, so maybe the problem isn't server related after at all.</edit>

[edited by: deMorte at 6:50 am (utc) on Sep. 8, 2008]

1:02 pm on Sept 8, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
votes: 53

U need to udate your wordpress as there have been a ton of them hacked.
Wordpress is horrible about this so I suggest you stay very current with them. If you have updated then there has been a breach of your ftp and or computer and I suggest a complete password change on all my personal stuff as well as business.
6:28 pm on Sept 13, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:July 11, 2005
votes: 0

I've updated to the latest version of Wordpress as of a couple of nights ago - I've not been hacked in a couple of weeks and with any luck it will stay that way.

We'll see.

Thanks for all of the suggestions.