WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Crazy Keywords - WordPress Hack!? (11 posts)

  1. rufusbabe
    Member
    Posted 2 years ago #

    I'm having a major fight with one of my clients wordpress websites. It's only been live for about 2 weeks and already hacked! :(

    http://www.icsolutions.com.au is the website
    If you look at the source code there is a div being pulled from who knows where - <div style="display:none"> with a whole heap of dogey keywords and links.

    Can anyone tell me how to figure out where this is coming from? I have no idea where to start. I've reintalled a fresh copy of the theme I'm using and it's clean and I've deactivated all my plugins and the malicious code remains... HELP!

  2. Check your plugins. Which ones are you using?

    At a guess, are you using http://www.wordpressconnect.net/wordpress-database-backup-plugin/ ?

  3. rufusbabe
    Member
    Posted 2 years ago #

    Hmm no, I don't have any database backup plugins installed...
    Plugins I currently have installed -
    - Akismet
    - Be-It Facebook SideTab (I have this installed on other clients sites with no problems)
    - Contact Form 7
    - Contact Form 7 widget
    - Exploit Scanner
    - Hello Dolly
    - Really Simple CAPTCHA
    - SK Testimonials
    - Social Media Tabs
    - TAC (Theme Authenticity Checker)
    - Theme-Check
    - WordPress Importer
    - WordPress Sentinel
    - WordPress SEO

    A few of the scanners/theme checkers I've just installed to try and figure out what's going on. Do any of the other ones look dogey?

  4. The plugins all check out fine.

    Epislon is a ThemeForest theme so I can't look at it. Check the functions.php file in that theme. See if anything is hidden in base64() or if it's totally obvious calls to care2.com.

  5. michael.mariart
    Member
    Posted 2 years ago #

    Another thing to check (I've used a few ThemeForest themes that have this...) is to check in the themes files and see if there's a file called timthumb.php or thumbs.php and it doesn't have to be in the main directory, I've seen them hidden a few directories down sometimes.

    If you find that, open the file and check that it's a script called TimThumb. if it is, I'd be almost certain that's your problem. So far I've had to "clean" this out of 7 sites because it was allowing these sorts of hacks to be injected into the sites.

  6. rufusbabe
    Member
    Posted 2 years ago #

    Thanks Ipstenu. Since my last post I realised by PC had been infected with Trojans and other bad things that record keystrokes and passwords. It looks like this may have been the cause. I checked the functions.php file but can't see anything obvious (no base or calls to care2.com). I suppose my next step is to totally reload my theme...

    Hmm, yes I have read that timthumb has major security issues. I look into this. Thank you!

    I still have no clue how to find the source of this code though!! :(

  7. rufusbabe
    Member
    Posted 2 years ago #

    UPDATE
    I decided to check and see if the malicious code was in the theme or content. So, I switched to twenty eleven theme and deleted my theme (epsilon). Code disappeared! YAY!!

    I then reloaded a clean, shiny & new epsilon theme, activated and uh oh... code is back!! WTF!!?? I don't understand!! I loaded exactly the same theme files onto a test hosting I have and no malicious code came up!

    So the code is in the content...?? :( argh! not cool! I have no idea where to go now!

  8. esmi
    Forum Moderator
    Posted 2 years ago #

    No - the problem is in the theme.

  9. rufusbabe
    Member
    Posted 2 years ago #

    But the theme works absolutely fine on a different test hosting... with no malicious code. The malicious code only appears on the icsolutions.com.au hosting...?!

  10. michael.mariart
    Member
    Posted 2 years ago #

    That means that there's something extra that's still in your hosting account that's adding that code in. If this is not fxing the problem I'd do a complete backup of ever file, then delete EVERYTHING and upload a new copy of WP And your theme and plugins code. Then you can re-upload your wp-content/uploads/ folder after you have checked it all for any corrupted files.

    I've seen this many times before on a few customers websites. The infections are not limited to one file or one place. You need ot look through pretty much EVERY folder on your website to find files that are not supposed to be there. One of the "favourites" that I've seen used is "jquery.js.php". That looks like it's meant to be there but it's a fake file that's set up with the exploit code. There could also be exploit code injected into any of the core wordpress files. It's impossible for us to say or know where it is becuse we can't see the files tructure of your site.

    If you are not to good with doing this yourself there's a few good companies around that can help you with these tort of hacks. I won't name any here because I'm not going to promote one over another one, but it might be worth the money for you to get someone to look at it that knows what they are looking for and can see what you are missing there.

  11. rufusbabe
    Member
    Posted 2 years ago #

    Hi Michael,
    Thanks so much for your advice. I finally figured it out from this post - http://wordpress.org/support/topic/un-necessary-care2com-links-in-my-source-file?replies=23! :)

    For some reason my functions.php was referencing that javascript file and inserting that malicious code into the top of the site. I have no clue why it was only happening on this hosting and not others though. Very odd.

    Anyway, thank goodness it's all fixed now. Thanks everyone for all your help! Much appreciated! :)

Topic Closed

This topic has been closed to new replies.

About this Topic