Forums

WordPress › Support » How-To and Troubleshooting

[closed] A new spam hack - including on wordpress.org (13 posts)

  1. sumsuman
    Member
    Posted 5 months ago #

    Hi,
    I found that my website was hacked!
    It starts on the HTML body with javascript function xViewState()
    and follows with a lot of invisible spammy links wrapped with <p class="nemonn">. (can be seen only through view source)

    The thing is - I found it on wordpress.org as well!!
    I just removed it through the code editor so it doesn't appear anymore. If you google the line above you will find it on more websites built on wordpress, for example.
    wordpress.org/support/topic/theme-meeta-how-to-remove-popular-posts-tags-in-header?replies=11

    I have no idea when this code was injected. I have the latest version of wordpress, yet I have waited a bit before upgrading to it (couple of weeks)

    Does anybody know what it is and how it got to the system?
    Thanks in advance!

    UPDATE: it seems not to be the first time. It was also reported on August 2012 for Joomla:
    http://forum.joomla.org/viewtopic.php?f=621&t=754466

  2. sumsuman
    Member
    Posted 5 months ago #

    I didn't mention that I found it on header.php on my theme directory.

  3. blogical
    Member
    Posted 5 months ago #

    I also found this code in a client's header page from a custom theme.

  4. willt87
    Member
    Posted 5 months ago #

    This is what I have found out about "nemonn"

    Just removing the obfuscated javascript from the header will not work permanently.

    There will be an additional base64 coded file elsewhere (the backdoor)- and possibly more than one. They seem to be located in the core wp-admin directory and are randomly named but seem to follow the update-randomname-randomname.php taxonomy.

    Just updating / reinstalling WordPress from the admin won't remove this file.

    Additionally you should follow guidance given elsewhere for changing ALL passwords (FTP, database and WordPress admins) and follow instructions for Hardening WordPress.

  5. tangoev
    Member
    Posted 4 months ago #

    I also just found this script in two WP instalations that both used the same Template. The Header file in each was hacked with the nemonn code.

    Now removed from the header. All passwords noe changed and looking at Hardening.

  6. sumsuman
    Member
    Posted 4 months ago #

    I found a base64 code, under the name update-frazer-importance.php, under /wp-admin/includes

    Antivirus detected the file as PHP/Kryptik.AB trojan.

    I understand now the reason why I did not find it on Twenty-Eleven themes - since I updated those themes regularly, the infected header.php was probably replaced in the new version.

  7. sumsuman
    Member
    Posted 3 months ago #

    My sites were hacked again in the same way... Now a new form, with a changing class (not necessarily "nemonn"). Spammy code block now start with:
    <script language="JavaScript">function xtrackPageview
    followed by regex and then a spammy link.

    Again, only custom themes' header.php was hacked, not TwentyEleven themes.

    First time after my sites were hacked I moved to secure FTP connection. That wasn't the reason apparently, now I am taking extra security measures. We'll see.

  8. WPyogi
    Volunteer Moderator
    Posted 3 months ago #

    If you have been hacked, you need to go through all of these resources - if it's a repeat hack, you may not have gotten rid of the vulnerability or your server may have also been the source. If it was a custom theme, consider changing themes.

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

  9. sumsuman
    Member
    Posted 3 months ago #

    Thank you for the links, didn't know all of them.

    Unfortunately I have no possibility of changing the theme. I have to keep trying, and eventually contact theme creator, but this is only after I checked my own server. Perhaps it is Godaddy shared hosting that creating the vulnerability.

    I am still curious how come only non-wp themes were hacked, though.

  10. WPyogi
    Volunteer Moderator
    Posted 3 months ago #

    From what we have seen here, yes, GoDaddy servers have been hacked recently. You should check with them if you have further questions about your site. Those themes were likely not coded correctly or perhaps are using insecure plugins -- which is why we recommend only using themes that meet WP standards and always update your WP, themes and plugins as soon as possible.

    If it is, in fact, your theme that has a security issue, you might rethink using it:

    http://www.chipbennett.net/2010/12/10/only-download-wordpress-themes-from-trusted-sources/

  11. cbede
    Member
    Posted 3 months ago #

    Same here. Using WP version 3.5.1 with the a custom theme (from a trusted source) on Godaddy.

    Installed Plugins include... (not saying any of these are at fault)

    AdRotate
    Akismet
    Easy Contact
    Hello Dolly
    Jetpack by WordPress.com
    W3 Total Cache
    Widget Logic
    WordPress Importer
    WP-PageNavi
    Yoast Breadcrumbs

    Aside from the modified header.php file, the one suspicious file I found is named wp-comments-get.php in the base directory. It's 871 bytes and has mostly lines of code that look like this...

    [Spam code removed - please do not post that here]

    To start with, I plan on clening the spammy stuff from the header.php file and deleting the file named wp-comments-get.php. Then, I suppose I'll delete most of those plug-ins and keep a sharp eye out for any re-ocurrences.

  12. SteveAx
    Member
    Posted 3 months ago #

    I have several WP installs on my GoDaddy shared hosting have been having this issue for a few months now. I am using themes that I generate with Artisteer.

    Always in the theme header (or a simular hack always in the theme functions.php) file. Never in the twenty-whatever themes.

    The really strange thing to me is that the header.php (or functions.php) file timestamp of when it was last changed doesn't change... the hacked code just appears in the file... I don't understand this.

    Is this a GoDaddy issue? One of the plug-ins? Artisteer themes?

    Thoughts?
    Steve

  13. esmi
    Theme Diva & Forum Moderator
    Posted 3 months ago #

    @SteveAx: As per the Forum Welcome, please post your own topic. Posting in an existing topic prevents us from being able to track issues by topic. Added to which, your problem - despite any similarity in symptoms - is likely to be completely different.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags