WordPress.org

Ready to get started?Download WordPress

Forums

Can't remove "hacked" Link from sidebar (21 posts)

  1. Generalvivi
    Member
    Posted 5 years ago #

    The other day i was checking out my blog and I expanded the "links" section on the side to find a link that I had not put there myself. It says "Cheap Web Hosting" and for the life of me I can't remove it! I deleted it from the links section from my wp-admin and it just pops up 1 second later! I just recently updated and thought that might help fix it but it hasn't!

    Can someone please shed some light for me! I don't want this on my site!

    (steps to repro)
    1. go to http://www.chellslegend.com/blog
    2. Expand the "links" section on the left side by hitting the plus sign
    3. notice the "Cheap web hosting" link at the bottom.

    Someone please help!

  2. RoseCitySister
    Member
    Posted 5 years ago #

    I don't speak JavaScript well, but there's this in your footer:

    <script type="text/javascript">
    st_go({blog:'5231472',v:'ext',post:'0'});
    var load_cmc = function(){linktracker_init(5231472,0,2);};
    if ( typeof addLoadEvent != 'undefined' ) addLoadEvent(load_cmc);
    else load_cmc();
    
    </script>

    Maybe that could be the problem?

  3. Generalvivi
    Member
    Posted 5 years ago #

    I looked in my "footer.php" and didn't see this (I dled it from my server and didn't see it in the file)

  4. s_ha_dum
    Member
    Posted 5 years ago #

    Looks like that code is loaded by WP-Stats Wp-Stats so it probably isn't the source of your problem.

    I'd start by disabling all of my plugins just to see if one of them is creating that link.

    Also, you are not hosted at Open Blu Host are you?

  5. Generalvivi
    Member
    Posted 5 years ago #

    I turned off all the plug-ins and it deleted the link and it still came back... : /

    the only plug-ins I have are the next-gen gallery and wordpress stats.

    I am also not hosted by "Open Blue Host"

  6. Generalvivi
    Member
    Posted 5 years ago #

    It appears that I can hide the link..... but I really want it gone.. I don't like the idea that someone can put links on my site without my permission...

  7. s_ha_dum
    Member
    Posted 5 years ago #

    When you say that 'I turned off all the plug-ins and it deleted the link and it still came back' what do you mean? Your sentence is a little confusing. Do you mean that when you turned off the plugins the link disappeared? And then when you turned the plugins back on the link came back as well? If that is the case then the link is being inserted by one of those plugins. Turn them off one at a time and see which one it is. When you find out which it is download a fresh copy from somewhere reliable, like the WP Plugin Directory. It is possible that you have a hacked version of one of the plugins. It would be trivially easy to edit a plugin then put it back online for download.

    If that is not what you mean then I'm not sure how to interpret your sentence.

    It is also possible that the link is being inserted by a Theme. Take a look in /wp-content/themes/<your-theme-name>/functions.php and search for that spurious link.

  8. s_ha_dum
    Member
    Posted 5 years ago #

    Hmmm... how can you hide the link? CSS?

  9. Generalvivi
    Member
    Posted 5 years ago #

    Sorry a typo ! I ment that "I" deleted it , not "IT" deleted it. Also in wordpress you can keep links private so i just hit the "set link private" button and it doesn't show up on the main page. BuT! I still need to figure out how to remove it from my site!. (it didn't seem to be any plug-in) and this theme I'm using doesn't have a "functions.php" : /

  10. Please list your plugins.

    I checked the theme (mental_disorder) and it doesn't seem to be there unless it's hidden in a wacky place or encrypted.

    If it was a rogue user adding this in, they'd know to un-private the link, so that's unlikely, but I'd check for sneaky people with Admin access anyway.

  11. Generalvivi
    Member
    Posted 5 years ago #

    I am the only person with admin access to my blog. I keep getting the feeling its just apart of some spam bot thing that goes around and checks for certain weaknesses in peoples sites and then exploits them..... I would love to just find out what's going on .... I sadly don't know enough about websites to solve this...

  12. s_ha_dum
    Member
    Posted 5 years ago #

    So you can find the link in the WordPress Link manager but can't delete it? At least you can't delete for very long before it comes back? That's interesting.

    If it isn't the plugins and it isn't the theme then maybe you've got a corrupted install, somehow. Has anyone ever had access to your code? Maybe someone installed it for you or something? Is this a clean install or did you copy it from some other site?

    Meanwhile, do you have any way to search your entire installation for keywords? Something like 'grep' maybe? Any *nix OS likely has this function including OS X. For Windows you'll need something third party like maybe Wingrep though I've never used it. If I were in your shoes I'd grep the whole installation-- something like grep -Rn 'openbluhost.com' * ran from top level WP directory. I don't mean to over complicate things but something is inserting that link and if it isn't the plugins and it isn't the theme you are going to need to cast a much wider net.

  13. apljdi's right, there. Here are your options:

    1. Someone cracked your admin account (unlikely, other changes would have been made as well)
    2. Your theme has a hidden encrypted bit that puts this in (unlikely, as the theme doesn't seem to have any of that)
    3. A plugin or other feature you added on is doing this (unkown, as we don't know what your plugins are, seriously, man, just list 'em. It doesn't hurt.)
    4. Whom/Whatever installed your WP slipped this in.

    Who's your webhost?
    How did you install WP?
    What plugins do you have?

  14. GrandSlambert
    Member
    Posted 5 years ago #

    Guys, go back and read. He DID list his plugins:

    the only plug-ins I have are the next-gen gallery and wordpress stats.

    Neither of these should be installing that link, so my thought is there is a hacked copy of a wordpress file somewhere. Download a new, fresh copy from wordpress.org and extract it into your site overwriting any files that are there. Also, look at all of the files included in the archive and see if there are any extra files in your install, especially in the root, wp-admin and wp-content folders. Any extra files that you did not personally add should be removed.

    If all else fails, take some time in the evening and back up your database, dump everything, the site, the db, everything, and do a clean install. This is a drastic measure, but unless you can identify exactly which script is adding the link, it may be your last resort.

  15. s_ha_dum
    Member
    Posted 5 years ago #

    'grandslambert' might be suggesting one of the only real options you have, Generalvivi, if you can't find the code that inserting this link. I'd further suggest, though, that overwriting might not be enough. You can still end up with old and potentially compromised files on the server if you depend on overwrites. I'd say delete whole directories, then install the new files. (Why Delete? Generally, it is a good idea to delete whatever is possible because the uploading (or upgrading through cPanel) process may not correctly overwrite an existing file and that may cause problems later.) Of course, all this pain means nothing if you re-upload hacked plugin or hacked theme files so make absolutely sure you have clean copies of those too.

    You might try changing all of your passwords including the mysql DB password (if you can), and see if that helps. Definitely change the passwords if you reinstall.

  16. zelphi
    Member
    Posted 5 years ago #

    I am having this same issue with the latest release of word-press. After my upgrade a link appeared in my links and despite deleting it dozens of times it keeps coming back. I can't find anywhere in the installation code that would cause this to happen. It's not my theme, not my plug-ins. I've wiped everything and completely re-installed the new version of wordpress and the same thing is happening.

    You go into links, delete the offending link, and as soon as you update any part of the blog the offending link is back.

    I have no idea what to do now.

  17. whooami
    Member
    Posted 5 years ago #

    zelphi, after your upgrade from what version? I'm happy to help, off the list, if you like. if so, e-mail me, whoo ((at)) village-idiot.org and we can talk.

  18. basnyd
    Member
    Posted 5 years ago #

    Hi -

    A friend of mine had the same issue. It was tied to the theme. If I switched the them to one of the ones that came with WP, the link would stay removed after I deleted it. If I moved back to the custom theme my friend created (based on another theme), the unwanted link came back.

    I then looked in the theme files and found a line that began --

    <?php eval(base64_decode('with_a_lot_characters_in_between_')); ?>

    in the header.php file.

    So far I have deleted that line and the link hasn't come back. Knock on wood.

    HTH,
    Barb

  19. figaro
    Member
    Posted 5 years ago #

    @basnyd: If that was in the header.php file, I'll bet it's in lots of other files on your account as well...you may want to take a look. It's usually the first link in the file. That was a pretty ugly hack that impacted literally thousands of sites...and not just WordPress sites.

  20. Neil
    Member
    Posted 5 years ago #

    Hi,

    I got the same problem for a while and I tried everything before coming across this post.

    @basnyd: Removing that code in the header.php file really helped delete that silly link.

    By the way it is a long code with hundreds of numbers and letters, easy to spot and @figaro: I checked all the files and couldn't see anymore of that code.

    Thanks a lot.

  21. emoncao
    Member
    Posted 4 years ago #

    Thank you! You saved my life!!

    Looked all over the internet for the solution and only found it here...

    THANKS THANKS THANKS!!

Topic Closed

This topic has been closed to new replies.

About this Topic