WordPress.org

Ready to get started?Download WordPress

Forums

Text Appearing After HTML Tag (3 posts)

  1. llamaman
    Member
    Posted 5 years ago #

    Hello!

    I was a victim of Dreamhost's FTP login/password breach a while back and just noticed that someone hacked my site and placed a link to a website after the HTML tag. The website is here, and if you scroll all the way to the bottom, you will see a link to "mp3million". The problem is, I cannot figure out where to delete that link.

    The link does not seem to be theme-dependent, as the issue appears no matter which theme is active. Also, I scoured my theme files and the link is not in there.

    I also searched the "index.php" files in the "root" and "wp-content" directories and couldn't find the hacked link anywhere.

    Do you have any other suggestions of places/files I might look to delete this unwanted link?

    Thanks!

  2. I'm sure you've changed/resolved the FTP password, so that's probably covered already. Backup everything (database and files) and then delete everything (NOT THE BACKUPS! :).

    Do a complete re-install from the sources, meaning get the WordPress files, plugins, and theme you use from the original author's websites. If you are using a theme with dodgy obfuscated code, DROP IT and use something else for now.

    Re-create your wp-config.php from scratch and start moving images and files you've uploaded into wp-content. See the below links and comments on how to check that the spammy link is either in your database or files.

    It's a lot of work but you'll find it eventually and hopefully have that V8 moment when it's solved.

    Begin boiler plate HERE

    Read this

    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    And then read it again.

    Read this too

    http://codex.wordpress.org/Hardening_WordPress

    Upgrade to the latest version if you have not already. You need to see if there are any users added to WordPress that you don't know about/don't belong there.

    You need to go through your files and find where the spammy links are being added. If it's in wp-config.php or some other file, you'll need to make sure that is cleaned up before you can consider yourself good file wise. Look everywhere and use fresh copies of your WordPress installation, plugins, and themes.

    Look at your posts and comments and see if there are any spammy links there. You can export your whole blog to WXR and then examine the whole thing in your favorite text editor.

    Look at your server's log files. If you are on a shared server, get help from your provider. You need to identify if this was a compromise of WordPress or your server. If you do not identify the entrance which the attacker got in, odds are they will be back.

    Once you have cleaned up your hacked blog, harden it so this does not happen again.

    Good luck.

  3. llamaman
    Member
    Posted 5 years ago #

    Many thanks to @jdembowski.

    After pulling my hair out for weeks about this, I found the code inserted in my main directory's index.php file. Geesh! The reason I missed it is because I have WordPress installed in a sub-directory, so when I was reinstalling/overwriting my core files, I forgot to move the fresh index.php file over to the root directory.

Topic Closed

This topic has been closed to new replies.

About this Topic