When I browse to ourshire.net/forum, the status bar indicates something downloading from x-victory.ru. I've tried improved security via .htaccess, changing database password etc, but it goes on. Google lists this as possible "Badware" site.
Has anyone had this problem, or have any idea what I could try to prevent? No sign of damage (yet).
http://www.blockacountry.com is what some do when they find they have no other options.
~ Jared Ritchey
At the end of your pages, after the closing HTML tag there is an additional script and an iframe.
This code is not in the download tarballs, so it seems the code has been injected on your site only. You should contact your web host for assistance as your service may have been compromised.
Thanks - yes, I found this in header.php:
<script type="text/javascript" src="http://onvertigo.com/anarchy_media/anarchy.js"></script>
I'll try deleting it and see if it stays deleted. Apparently onvertico.com belongs to Trent Adams, a bbPress enthusiast - hmm.
No, the script is still being inserted at the bottom. When I replace the eval in the script with document.write and put the script in a html page, it produces a rectangle -strange. Is this really coming from Trent, the moderator? It has wasted a lot of my time.
I didn't say anything about the script at the top. I assume that's from a plugin you've installed.
Remove the script and iFrame from the bottom.
Look in footer.php
Where did you download your files from?
The header.php file is from the bbpress-forum template supplied by Trent at http://trentadams.com/2007/02/10/theme-release-onvertigo/#comment-347
I reinstalled everything, including the bbpress-forum theme, but with the anarchy.js line deleted. Now everything is fine. I think you might need to have a word with Trent about the purpose of the onvertigo.com/anarchy_media/anarchy.js
Anthony
The file you mentioned is harmless.
Your problem was with an iframe that was inserted at the end of the page.
Your site still contains some obfuscated javascript at the end of the page.
I suggest you move to other hosting providers.
I checked few sites on your hosting server (using http://www.myipneighbors.com/ to find out), they are inserted the same code.
Hope you can get refund!
I wrote about this in the wordpress.org forums as well and the only thing was that anarchy-media javascript in there left over after I re-uploaded the file after a server crash from my own modifications to the original theme.
I have taken that up and reloaded the theme to the server, but I don't see anything in footer.php that would even cause a problem that you are seeing.
http://wordpress.org/support/topic/143571?replies=3#post-648853
Trent
As well, afdenahy you can always contact me by my about page on my site with the contact form. As well, the "modlook" tag would also draw me in faster even though that is not really the intended purpose of that tag to this thread!
Trent
Thanks Trent et al. 3ix have fixed the problem. This is their response:
We have investigated the root cause of the issue and it is a type of iframe hacking from an Serbian IP which got into one of the customised php scripts of one of the clients and then got FTP access of domains and modified the pages.
We have removed that script and the banned the IP and process of removing that hacked script . Your account has been cleaned.
Now I'm changing lots of passwords. Sorry about jumping to conclusions about that script line in your header.php Trent.
Anthony
You must log in to post.