I think my site has been hacked.
The IP responsible is 220.127.116.11.
All sorts of stupid crap is appearing in my WordPress pages. Please hold while we resolve the difficulty and beat up the people responsible.
UPDATE (2:39 AM): I think the damage has been un-done. While for about thirty seconds I was panicked and a little flattered that I might finally have pissed off somebody important, it looks like it was just a script kiddie from Hong Kong. Now, I just need to see how it happened and how I can stop it from happening again.
UPDATE (3:29 AM): Well, the good news is, it doesn’t look like the problem is my fault. In fact, I’m rather expecting that every PHP and HTML file hosted on SiteGround has been tagged with two extra lines of code.
UPDATE (5:48 AM): A fair number of people seem to be finding this post by Googling for the IP address 18.104.22.168. I can only assume they’ve been having the same problems I was: lots of extra
<script> tags and
iframe stuff in the page source listings, tiny squares all over the place and other malfunctions. I found that two lines of script had been added to every PHP and HTML file on the sites I host on SiteGround, including a project which is currently in beta-testing and whose URL is not generally available. This makes me doubt that it’s a WordPress code-insertion vulnerability. I cleaned some of it up manually, removing the two lines (both beginning
<script>document.write) and restored other chunks from my most recent backup.
Now, it’s up to SiteGround to prevent this from happening again.
UPDATE (3:11 PM): SiteGround is now saying that the problem was due to a “zero-day attack,” that is, one which occurred before a vendor patch for the exploit was released, that the exploit was in a “third-party script,” and that it has been resolved. Mmmm, OK.