Just to make it clear, the malicious code are links to buy cialis, viagra and others, so you can check it out.
Moderator
James Huff
(@macmanx)
Volunteer Moderator
It looks like you fell victim to a hack that is injecting malicious code into all .php files (not just WordPress) under a few shared hosted providers.
Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
I’m afraid I will need a little more than that.
I don’t seem to be able to find where the code is inserted, and I don’t have daily backup to recover from…
I changed security questions, passwords (users, ftp, DB) and contacted the host.
However I can’t find the piece of code creating those spam links…
Can anybody provide further details?
Thanks again
Very weird: I was looking for other pages where the links appeared, but could only find them on the search result pages OTHER than the 1st one.
I decided to remove the search widget and used the link I reported above (the one ending in /page/2/?s=[term] ) and the links are gone!
Anyway, if someone can give me some ideas I’d be glad.
I got carried away, it’s still all there 🙁
Moderator
James Huff
(@macmanx)
Volunteer Moderator
So, the detailed “My site was hacked” guide that I linked to, and the other guides that it links to (particularly Removing malware from a WordPress blog and How to clean your hacked install) offer no help in finding the malware on your hacked install?
No, not really. (sorry)
I looked at my folders trying to identify uploaded files, checked the .htaccess for weird lines, checked the dates of last modifications of my files…
The last link you mention seems to be the best, but only to those who can deal with those linux codes. I’m just a regular blogger!
If I had the backup it would be easier, just delete and restore. But that’s not an option ATM. (for the next time it will!)
Moderator
James Huff
(@macmanx)
Volunteer Moderator
You might want to contact your hosting provider, as they might have a pre-hack backup for your account.
I already did, but I don’t think there’s somebody there to answer support tickets at midnight…
I’ll check it back tomorrow.
Thanks a lot for your attention, macmanx.
Moderator
James Huff
(@macmanx)
Volunteer Moderator
You’re welcome!
Good luck with the backup! Most responsible hosting providers should at least keep weekly backups of all accounts.
Some new information, while I wait for the host to answer:
– I installed a fresh WP (3.0) on another domain, then restored the DB backup I just made then imported the WP backup and asked the importer to download all attachments.
– To this new install I uploaded my theme directory and activated current theme
The spam links do not appear to be there.
So I believe the code is not on DB nor theme files. It must be on WP files, am I right? Thinking so, I updated WP on the main site (to 3.0 – was using 2.9.2 before), but the spam links are still there.
Moderator
James Huff
(@macmanx)
Volunteer Moderator
No, the code won’t be in the database, just the files. As mentioned in the “My site was hacked” guide, downloading WordPress again and re-uploading the core files may resolve the issue.
