WordPress MU

Hi, Found in L Code field of one blogs this following code:

[htmlcode]<div id="refl" style="display: none"><b>casino bonus</b></div>[/htmlcode]

What means? How can I avoid this code writing?

Thanks

Probably means someone probably hacked your site. Where specifically did you find the code? (Not sure what you mean by "L Code field")

From reserved area -> Administration -> Blogs -> Modify (main blog)
The EDIT BLOG page will open, you can find L Code field at the bottom of the page.
How can I solve the problem? I already tried to delete the code but it still returns.

I believe you were hacked. Roll back to a clean backup, change all passwords, scan your PC for trojans and viruses.

Do you think trojan is on my computer? could it be an access from an third part?

amacbr, we can only guess :)
You should check EVERYTHING. You can have a virus/trojan on your PC, someone could have stolen your password(s), a server could be hacked.

Check access logs, this might give you some info.

I still have no idea what he means by the L-Code field but whatever it is the content (including the copy he posted in here) is spam. Can someone edit his post and take the link out?

Your site got hacked, either by someone guessing your passwords or someone getting at your database on the server. Are you on paid for hosting or running your own host?

I'm in hosting and I don't think the problem is in my computer, my pc have a good antivirus and it is constantly checked.

If something "keeps returning" I'd say it's pretty obvious that something is putting it back there. If you say you haven't gotten hacked then I'd ask your wife, girlfriend, kids, etc to stop putting the link there. (Yes, I'm sarcastic)

Truth be told, I believe you've been hacked. There are many ways to get around "good antivirus" so just because you have one and it runs often doesn't mean you haven't been hacked or you haven't gotten a virus.

If you're really into hosting nothing I'm writing here is news to you. You know already bypassing any security system is just a matter of time, knowledge and money, nothing else. Someone breaks a window and enters your house, you put bars on the windows. They get a ladder and climb to the top floor and get in there. You put bars there too they'll cut the bars off and get in. You put in an alarmsystem they figure out which one it is and how to disable it. You build a wall, they'll climb it. You put a guard outside they'll go in the back way. You put many guards outside they'll kill the guards. See? All this amounts to "security" but in reality, if someone wants in it doesn't matter that someone has a fortress (or a "good antivirus"), they'll get in if they want to. Just the way it is, but as I said, since you're into hosting you already know this.

Now for something that might help you actually, if what we're saying is true and you have got something running on your machine that's not supposed to be there, then do a text-search on ALL files (not just text files obviously) for that url on all your harddrives and see if anything pops up.

So have you checked your server logs to see if anyone has logged in? Have you checked the permissions on your folders? Checked for modified files or extra files (check in the mu plugins folder because anything in there will get executed silently).

Antivirus software will NOT find malicious php code, nor will it protect you against people logging in and changing your database.

I lost an entire PHPBB installation once on my home server because I'd just not tightened something down.

"The EDIT BLOG page will open, you can find L Code field at the bottom of the page."

Still have no idea what you mean. Is this code in one of the text boxes? Which one?

Also, antivirus software on your computer does absolutely NOTHING to lock down your website.

What version of MU are you running?

has anyone thought to tell this guy about earlier vulnerable versions where links are injected, just like this?

Check over your theme code too.

yeah, a screen shot from this guy with the problem and his wpmu version number might help

What version of WordPress are you using? I assume you're using WPMU, since you're posting to this forum and you mentioned the 'Edit Blog page', which I believe is WPMU-specific.

Just the same, there was a 'fake' wordpresz.org upgrade to 2.6.4 (note wordpresz.org, not wordpress.org!). There was no such thing as WordPress 2.6.4. They went from 2.6.3 to 2.6.5 just before WP 2.7 was released.

I wonder if it's possible there was some sort of Dashboard script injection.

Here's some info on WP 2.6.4:

• http://www.viper007bond.com/2008/11/07/there-is-no-such-thing-as-wordpress-264/
• http://wordpress.org/support/topic/214908?replies=34
• http://www.craigmurphy.com/blog/?p=874