WordPress › Support » Beat diabetes) beatdiabetes.us footer link, hack activity

Leeonard89
Member
Posted 8 months ago #

Hello,
I have a big problem: my site http://www.leonardomarra.it has two links in the bottom of my page that brings to beatdiabetes.us.

I don't know the problem origin. I had install a themify free theme, and modified the Powered By message.
I had install some plugins like "Facebook , twitter , google-new button","Askimet", "LikeGate", "HelloDolly", "statpressVisitors", "Visitor Maps and Who's Online".

I made a search on google, a lot of other people have this issue.

What I can do?

Thanks,
Leonardo M. from Italy
Leeonard89
Member
Posted 8 months ago #

Solved. I deactivated the "Facebook, twitter, google new button" PLug-in.

What the Hell, the plugin is hacked?

Thanks,
Leonardo M. from Italy
junaid@pkteam.com
Member
Posted 8 months ago #

I had the same issue at webGate website and I tried deactivating installed plugins and I found "WP Facebook Fan Box Widget- easy" was doing this. May be they are hacked I mean the plugin or they are doing it on purpose but any way the links are gone from the footer.

i thought this will help others to solve this.
sthsgroup
Member
Posted 8 months ago #

it happen to me too at http://www.sthsgroup.com , i edited the php of the plugin and at the end i deleted this few lines:
add_action('wp_footer', 'cre');

function cre(){

echo '<style type="text/css">.hello </style>';

echo ' <small class="hello">Beat diabetes</small>';

echo ' <small class="hello">Diabetes diet</small>';

}

i saved and the links disappeared from the footer without remove the plugin.
i hope it was useful to you.
Sergio from Vicenza
Jan Dembowski
Volunteer Mod. & Brute Squad
Posted 8 months ago #

Can you provide a link to the plugin?
sthsgroup
Member
Posted 8 months ago #

of course..

here is the link of the plugin: http://wordpress.org/extend/plugins/twitter-fb-like-google-1-and-fb-share/

i had the same problem with another plugin: wp facebook fan box widget easy.
you can find it here: http://wordpress.org/extend/plugins/wp-facebook-fan-box-widget-easy/

i opened the php of the plugin before installing on my site and i see the same lines i specified in the previous post.

i resolved in the same way!
OC2PS
Member
Posted 8 months ago #

I had the same problem at http://www.hennalap.com after installing Facebook Fan Box and Twitter Fans plugins.

So far I have just turned the display off for the class "hello" in my CSS.

Would like to hear from others about this...
OC2PS
Member
Posted 8 months ago #

The common factor seems to be http://wordpress.org/extend/plugins/wp-facebook-fan-box-widget-easy/
sthsgroup
Member
Posted 8 months ago #

it is more than a common factor..

if you unzip that plugin on your computer and open the .php with notepad you will see at the end of the file these lines:

add_action('wp_footer', 'cre');
function cre(){
echo '<style type="text/css">.hello </style>';
echo ' <small class="hello">Beat diabetes</small>';
echo ' <small class="hello">Diabetes diet</small>';
}

these lines add to the footer the links to beat diabetes and diabetes diet..
you have to delete these lines, upload the plugin with your ftp client and activate it.
in this way it will works without problems.
Sergio
esmi
Theme Diva & Forum Moderator
Posted 8 months ago #

Please contact plugins@wordpress.org about this plugin.
Jan Dembowski
Volunteer Mod. & Brute Squad
Posted 8 months ago #

Thanks, I just sent the email.

I was going to suggest that 6 hours ago or so but got tied up in the real world. :)
OC2PS
Member
Posted 8 months ago #

Other plugins seem to have a similar issue: http://wordpress.org/support/topic/the-plugin-wp-delete-duplicate-posts-puts-beatdiabetesus-link-in-the-footer?replies=2
kc_pix
Member
Posted 8 months ago #

I posted my information as a reply - which the above post points to.

I also sent the information about the "Category and RSS widget menu" plugin containing the 'Beat Diabetes' to the 'plugins@' email address shown above as well..
Jan Dembowski
Volunteer Mod. & Brute Squad
Posted 8 months ago #

NUTS. I've sent an updated email.

This is the link to the diff for wp-delete-duplicate-posts from milos2306

http://plugins.trac.wordpress.org/changeset/433012/wp-delete-duplicate-posts/trunk/wp-delete-duplicate-posts.php

This is the link for the diff wp-fanbox-widget-easy from sisolm

http://plugins.trac.wordpress.org/changeset/432857/wp-facebook-fan-box-widget-easy/trunk/facebook-fan-box-easy.php

This is the link for twitter-fb-like-google-1-and-fb-share from milos2306

http://plugins.trac.wordpress.org/changeset/433009/twitter-fb-like-google-1-and-fb-share/trunk/ftgshare.php

There are probably other plugins either from the same author or using that authors SVN account credentials.
Mark (podz)
Support Maven
Posted 8 months ago #

Thanks everyone for the information.
Plugins have been removed and we will be investigating further.

Any other matters of concern please do send email to plugins@wordpress.org
smbotans
Member
Posted 8 months ago #

for me the offending plugin is WP RANDOM POST WIDGET
Leeonard89
Member
Posted 8 months ago #
Thank you guys.
So we have a list of "infected" plugins.
If you didn't already installed those plugins you have to make action A
if you already installed those plugins you have to make action B.
So:
Infected/offending Plugin List
WP RANDOM POST WIDGET
twitter-fb-like-google-1-and-fb-share
wp-fanbox-widget-easy
wp-delete-duplicate-posts
http://wordpress.org/support/topic/the-plugin-wp-delete-duplicate-posts-puts-beatdiabetesus-link-in-the-footer?replies=2

Please report all the new plugins infected at plugins@wordpress.org as suggested by esmi user

action A (thanks to Sergio)
edited the php of the plugin and at the end i deleted this few lines:
`add_action('wp_footer', 'cre');

function cre(){

echo '<style type="text/css">.hello </style>';

echo ' <small class="hello">Beat diabetes</small>';

echo ' <small class="hello">Diabetes diet</small>';

}`

if saved the links will disappear from the footer without remove the plugin.

Action B (thanks to Sergio)
if you unzip that plugin on your computer and open the .php with notepad you will see at the end of the file these lines:

add_action('wp_footer', 'cre'); function cre(){ echo '<style type="text/css">.hello </style>'; echo ' <small class="hello">Beat diabetes</small>'; echo ' <small class="hello">Diabetes diet</small>'; }

these lines add to the footer the links to beat diabetes and diabetes diet..
you have to delete these lines, upload the plugin with your ftp client and activate it.
OC2PS
Member
Posted 8 months ago #

Mark, is anyone investigating what caused the infection, whether this is intentional from plugin authors, etc? Because fixes/patches will probably be lost when plugins are updated...
smbotans
Member
Posted 8 months ago #

that is an excellent question which i was asking myself and which needs to be addressed
Mark (podz)
Support Maven
Posted 8 months ago #

It was looked into and so far it looks like one user who has since complained about their plugins being removed.

If you want to report a plugin you MUST send the full url to plugins@wordpress.org. Names aren't good enough because so many plugins have very similar names.

http://wordpress.org/extend/plugins/wp-random-posts-widget/ looks okay and there is no "WP RANDOM POST WIDGET".
Jan Dembowski
Volunteer Mod. & Brute Squad
Posted 8 months ago #
Mark,

The http://wordpress.org/extend/plugins/wp-random-posts-widget/ is a very good example. It was there but now it's cleaned up.

When you look at the diff of the earlier revision you get this output.

http://plugins.trac.wordpress.org/changeset/432971/wp-random-posts-widget/trunk/wprandompostwidget.php
```
wp-random-posts-widget/trunk/wprandompostwidget.php
r431177	 r432971
214	214	// Delay plugin execution to ensure Dynamic Sidebar has a chance to load first
215	215	add_action('widgets_init', 'widget_ara_randomposts_init');
216
 	216	 add_action('wp_footer', 'cre');
 	217	function cre(){
 	218	echo '<style type="text/css">.hello </style>';
 	219	echo '   <small class="hello"><a href="http://beatdiabetes.us/">Beat diabetes</a></small>';
 	220	echo '   <small class="hello"><a href="http://beatdiabetes.us/category/diabetes-diet/">Diabetes diet</a></small>';
 	221	}
217	222	?>
```
The account for this plugin is furlan365 so either SVN got hacked or one user is logging in with multiple SVN accounts. Or someone is cleaning the spam up.

Edit: Shooting off an email as I'm not sure this is the most effective place to discuss this.

Reply

You must log in to post.

WordPress.org

Forums

Beat diabetes) beatdiabetes.us footer link, hack activity (21 posts)

Reply

About this Topic

Tags

Code is Poetry