wordpress hacked – cannot find how hacked pages still appear
-
Hi guys,
This is a last resort post as I’ve tried all sorts to get rid of my hacked wordpress.
The first I knew about it was when google had blocked my site saying it had malicious downloads in there. Turns out there’s a link farm in the footer.So, what I’ve done recently was to install the Arras theme and a twitter plugin.
What I’ve done to try and remove it:– removed & deleted the Arras theme
– removed & deleted the twitter plugin
– disabled ALL plugins to see if that was the issue
– ensured ALL plugins and wordpress are the most recent versions
– scanned through server logs (couldn’t see anything out of the ordinary)
– checked last modified times of most of wordpress directories via FTP
– checked users (only one, my admin)
– checked the database (phpmyadmin) for abnormal text in posts (eg: LIKE %<iframe%)
– removed ALL widgetsI have done all the above and the code is STILL appearing. It seems to have a Javascript include in my header file which I guess is what’s responsible for injecting hundreds of hyperlinks to the footer? I have a line of JS as follows
<link rel='shortlink' href='http://wp.me/pZpJA-82' />
I cannot see HOW or WHERE that is getting inserted. I have tried using ALL the available themes and it’s still appearing on each. The site in question is http://www.mattfacer.com
I’m tearing my hair out here!! Thanks for any advice.
-
Some hacking resources that might help:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/Yep – already been going through most of those sites. Other than a fresh install, I think I’ve tried everything! I can probably do a fresh install, but I’d rather get to the bottom of it. I have secure passwords, the correct permissions on folders etc…
Did you read the article at the last link?
Yes – probably the best one. I’ve trawled through the FTP folders for anything suspicious looking. I found a strange one which was a .ppt (powerpoint I believe) but I didn’t recognise it, so deleted it. I’ve also cleared out the theme folders which I don’t use. It’s really strange this. Only happened since I upgraded to WP 3.0.3 – could be pure coincidence though!
Ah wait, I found it. I was looking at an OLD version of wp-config. When I got the ACTUAL one on the server it did indeed have the EVAL( ) code in there. Blummin heck.
Thanks for the links 🙂
It probably was a coincidence. It’s also possible that the back door was elsewhere on the server. Do you still have the spam links in the footer?
nope – once I removed the EVAL code from the header, it got rid of them all. Unbelievable!
- The topic ‘wordpress hacked – cannot find how hacked pages still appear’ is closed to new replies.