Suddenly one day I noticed that big red screen when clicking on a Google result leading to a Wohill page or even later on when entering directly to wohill. We were attacked by malware and Google as a precaution wouldn’t recommend users to enter our site. You can easily say that our numbers went down those days.
I spent some time trying to figure out the reason for it. But before doing anything I changed our passwords to make sure that no one had access to the site. I made sure that the WordPress installation, the Theme installed and all plugins was of the latest version. I also checked the WordPress security again. It appeared that we had some security wholes in the .htaccess structure. Use the BulletProof Security plugin as instructed to and you should be in good hands.
What happened was that someone in some way that I don’t know got access to the WordPress admin and added a script tag in the additional scripts section of the Site Options page in the Thesis theme.
It appeared that apis.google.com is not a Google sub domain. This script seems to have done two things which I think affect one another in some way. A file was created in our ftp root. If you deleted it, it was just created again. It had a lot of numbers and alphabetical characters in it, about 20 characters long. It contained what seemed to be a long list of IP-numbers. I double checked with the web hotel and they did not create it.
I reported this to the web hotel and they did a search and found that a PHP-tag had been added to the top of several index-files on the site. It started like this.
<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KZnVuY3
Once all occurences of this tag was removed, the file mentioned above and the script tag in the WordPress admin I asked Google to scan/check the site again and we were shortly after reported clean and have not seen it again. Thank God!
Have you had any experiences like this? Please share!
