I'd appreciate your help with some problems I have been facing.
I recently changed webhosts and updated my wordpress site: guitarbench.com
Soon after the move, I received emails that the site was flagged by AVAST. Removal of some IP to world map trackers solved that issue.
Then I noticed a lot of issues with the visual editor and reinstalled wordpress automatically as per wordpress.org faq advice. Soon after, I was getting a blank page on my dashboard. Looking through the process, Dashboard would fine but then try to reload to a blank page. I noticed that page was trying to load to www.foreigntechnolonies.com. A look through the page source and I found this: "http://foreigntechnologies.com/ivanyuk/JU3Zgt3HDr.php" which I didn't recognise.
Then a look through my folders showed: gifimg.php which looks like a PHP Script Injection Exploit.
I deleted the gifimg.php files- but no difference so I deleted all the .js files with the write:script in- also no difference. Than I disabled all the plugins- and it solved the problem. I narrowed it down to the add everything plugin which I then deleted. That seemed to solve the problem. So far so good, but then after adding back the .js files I deleted, all the time checking to see if the site worked ok. When I got to the end, the site came down with the same problem, again. So I repeated the same process: except there are no gifimg.php files left and now it doesn't solve the problem and the "http://foreigntechnologies.com/ivanyuk/JU3Zgt3HDr.php" is still showing up. Rats!
So I pumped in my url into unmaskparasites, which comes up as apparently clean. I'm now running malwarebyte on my own PC to see if I can find anything, but I'm kinda lost as to where to go from here.
Edited by pakhan, 26 February 2010 - 11:52 PM.