Forums

WordPress › Support » How-To and Troubleshooting

Site hacked: Need help finding how link farm added to footer (18 posts)

  1. tshirtfiend
    Member
    Posted 1 month ago #

    My company's blog was hacked, with a link farm added to the footer. This appears to be a hack to the theme files, as it is code that I can see if I edit my footer.php file. Deleting the links just causes them to re-appear in a day or so though.

    I've tried a few things to remove the hack, to no avail. I'm at the point where I believe my only option is to re-install Wordpress (keeping the database).

    It just bothers me that I don't know where the link farm code is coming from though. I don't want to miss something, as I've never been able to find the code which generates the links.

    Can anybody suggest somewhere to look that I may not have tried?

    Here's a link to the site, if that helps:
    http://www.alphabetarm.com/thebloggery/

  2. songdogtech
    Member
    Posted 1 month ago #

    Everything you need to know to recover and reinstall is here: http://wordpress.org/support/topic/307660?replies=1

  3. bottleneck
    Member
    Posted 1 month ago #

    yeah, it looks ugly.

    Check this similar problem, the guy just finished cleaning his blog.

    Hacked: I can't find these Spam links anywhere? Plus more spam advice?

  4. tshirtfiend
    Member
    Posted 1 month ago #

    Ok, thanks. I'm not seeing any of those "base64", "forex" or "eval" bits that people point to as the usual culprit.

    Starting from scratch is a pain, but I can handle it. It's mostly that I just don't know what the source of the problem is. If there's a back door that has been created by the hacker, for instance, I want to make sure it'll be removed when I'm reinstalling.

  5. songdogtech
    Member
    Posted 1 month ago #

    If you clean your DB and make sure there are no other admin accounts and change all passwords related to the site, you can close many potential backdoors, as shown here.

    Talk to your host, too, esp. if you're on shared hosting. They may have seen/know more and know where the access is coming from.

  6. tshirtfiend
    Member
    Posted 1 month ago #

    So I went through ALL of the steps on the WP Smackdown site, as directed. No luck. Still the same problem.

    Anybody have an idea what I'm missing? My host is blaming WP, so I don't think that there's much that I can do there.

  7. RVoodoo
    Member
    Posted 1 month ago #

    yeah....I just had footer links show up again. I'm truly stumped. I've done absolutely everything, and still I get the spam links.

  8. tshirtfiend
    Member
    Posted 1 month ago #

    Did you go through the steps as suggested? Or are you just getting started?

  9. RVoodoo
    Member
    Posted 1 month ago #

    My thread is the one referenced by bottleneck in the 3rd post in this topic.

    I've done some serious cleaning/rebuilding already.

  10. faevilangel
    Member
    Posted 1 month ago #

    post your footer.php code as it may be grabbing data from somewhere

  11. RVoodoo
    Member
    Posted 1 month ago #

    My footer is definitely not pulling data from anywhere, I checked the code and once I remove the spam, it's clean. (I wrote the theme...).

    (I can post the code if its necessary....but it's a simple footer)

  12. bottleneck
    Member
    Posted 1 month ago #

    could you rename you footer.php as footer_new_name.php whatever in your theme and make sure the same in general-template.php (wp-includes folder)?

    If that malicious script aims at you footer.php let it shoot in the void.

    Sorry, if that advice is sort of naive, just trying to help...

  13. RVoodoo
    Member
    Posted 1 month ago #

    well....anytime you change anything in the wp-includes folder, you will lose the change with every upgrade.....

  14. bottleneck
    Member
    Posted 1 month ago #

    i will remind you :))

  15. RVoodoo
    Member
    Posted 1 month ago #

    that'd be awesome!

    I just really want to know where the links are coming from.... I'm waiting on a reply about logs & stuff from my host...but it's so annoying....

  16. samboll
    moderator
    Posted 1 month ago #

    download the database .sql dump
    open it with notepad and search for the links or code used in the footer

  17. RVoodoo
    Member
    Posted 1 month ago #

    yeah, I did that too

    I actually dumped all my WP installs, along with my SMF site since it had been compromised in the past. I searched them for a variety of things (base64, decode, forex, etc) plus scanned through the rather giant files looking for batches of stuff. I'm really fairly sure I got everything.

    I also scan through everything fairly regularly now, as I reinstalled or edited everything, so I can tell if any timestamps have changed.......

  18. bottleneck
    Member
    Posted 1 month ago #

    you have nothing to lose, don't you?

    I modified my proposal. Leave your footer.php as if but activate footer_new_name.php just as I wrote earlier.

    Even when your footer.php eventually becomes infected again, it won't show in your pages code. But this could give you some useful input.

    Do you follow me so far? ( oops, but enough about Twiiter :)

Reply

You must log in to post.

About this Topic

Tags