WordPress.org

Ready to get started?Download WordPress

Forums

Google Adsense Hack on my Blog (14 posts)

  1. scurtis72
    Member
    Posted 4 years ago #

    Our site, http://www.concurringopinions.com, keeps getting hacked and having google adsense ads embedded in the code. We have changed all the passwords and removed the code (numerous times) but they keep coming back. The hack ranges from placing the code in theme files to adding widgets with adsense code.
    Additionally I have made the files read only and it still happens. It began yesterday and will not stop. Can someone please tell me how to eliminate this issue as the ads are destroying the cosmetics of the site.

  2. indiemusicfinds
    Member
    Posted 4 years ago #

    the same thing happened to me last night at http://indiemusicfinds.com

    the adsense ads look identical too, I emailed google adsense one of the links so they can ban the account so they don't get the money.

    I think I've just found the code that's doing it in my Theme's Main Index Template.
    There's something about adsense and a JS script. I'm not sure how much of it I need to take out though, i don't want to break anything.

    I'm worried that they've put some other code in the wordpress files to allow them backdoor access again which it looks like has happened with yours for them to keep putting it back.

    Posted by <span><?php the_author() ?></span>  |  Posted in <span><?php the_category(', ') ?></span>  |  Posted on <?php the_time('d-m-Y') ?>
    						</h3><script type="text/javascript"><!--
    google_ad_client = "pub-2269506850128822";
    /* 728x90, created 7/25/09 */
    google_ad_slot = "7353594443";
    google_ad_width = 728;
    google_ad_height = 90;
    //-->
    </script>
    <script type="text/javascript"
    src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
    </script>
                        </div>

    Can you tell me whether this is the code I need to remove anyone? I'm not expert with this stuff.

  3. scurtis72
    Member
    Posted 4 years ago #

    You need to remove the following part only:

    <script type="text/javascript"><!--
    google_ad_client = "pub-2269506850128822";
    /* 728x90, created 7/25/09 */
    google_ad_slot = "7353594443";
    google_ad_width = 728;
    google_ad_height = 90;
    //-->
    </script>
    <script type="text/javascript"
    src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
    </script>
  4. indiemusicfinds
    Member
    Posted 4 years ago #

    Thanks, yes I just took it out.

    Now another one has appeared in my side bar at the bottom.
    Do you know how to get rid of this one?
    It's not showing up as a Widget in Appearance-Widgets.

  5. indiemusicfinds
    Member
    Posted 4 years ago #

    no worries i just found it in sidebar.php.

    I hope this doesn't become a game of cat and mouse.

  6. indiemusicfinds
    Member
    Posted 4 years ago #

    I've just found this in my functions.php

    }
    eval(str_rot13('shapgvba purpx_sbbgre(){$y=\'Gurzr ol : <n uers="uggc://jjj.jroubfgvatercbeg.pbz/orfg-cuc-ubfgvat.ugzy">CUC Jro Ubfgvat</n>\';$s=qveanzr(__SVYR__).\'/sbbgre.cuc\';$sq=sbcra($s,\'e\');$p=sernq($sq,svyrfvmr($s));spybfr($sq);vs(fgecbf($p,$y)==0){rpub \'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\';qvr;}}purpx_sbbgre();'));

    It looks a bit out of place and the uggc://jjj. part looks like an odd version of http://www. where these codes might be being fed from.

    Can someone tell me whether this is supposed to be here before i take it out?
    There's another one at the bottom of fuctions.php as follows

    }
    
    eval(str_rot13('shapgvba purpx_urnqre(){vs(!(shapgvba_rkvfgf("purpx_shapgvbaf")&&shapgvba_rkvfgf("purpx_s_sbbgre"))){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}'));
    
    ?>
  7. scurtis72
    Member
    Posted 4 years ago #

    It has become a game of cat and mouse. I removed probably a dozen so far and now the one at the top of our blog is impossible to find. I am searching all the files but have yet to find it.

  8. indiemusicfinds
    Member
    Posted 4 years ago #

    I'm guessing it'll be in header.php

  9. scurtis72
    Member
    Posted 4 years ago #

    I looked it isn't there. I have gone through all my theme files and it is nowhere. Which functions.php did you find the weird code? The theme one or the main WP one?

  10. indiemusicfinds
    Member
    Posted 4 years ago #

    the theme one, i think, it's in the wordpress panel. Appearance-Editor

    i'm fairly sure that's what's doing it, it looks very suspect. I want someone who understands these files to confirm first though.

  11. scurtis72
    Member
    Posted 4 years ago #

    Can someone from WordPress please respond to this? It is still taking place and is annoying. Any clue as to where to look for an app or widget or bot that is doing this would be greatly appreciated.

  12. iridiax
    Member
    Posted 4 years ago #

    Make sure that you are not using free web hosting (it often comes with ads) and see: http://codex.wordpress.org/FAQ_My_site_was_hacked

  13. scurtis72
    Member
    Posted 4 years ago #

    I'm not using free hosting. The site has been around for quite a while and he just started happening. Thanks for the link.

  14. Kathy_P
    Member
    Posted 4 years ago #

    When mine was hacked I found a modified version of an adsense plugin installed. The name had been changed to wp.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags