WordPress.org

Ready to get started?Download WordPress

Forums

Hacked: Hidden Links - <div style="display: none;"> (6 posts)

  1. worldbowler
    Member
    Posted 5 years ago #

    Hi there, really hope someone can help.

    At present my blog has hidden porn/spam links at the bottom of every page.

    The malicious code starts:

    </body>
    </html><div style="display: none;"><a href=" (then all the links start here)

    Ive spent the whole weekend trying to sort this out but cant find the code/links anywhere.
    Ive done the following:
    - Upgraded to 2.6.5
    - Deleted all old wp files except config & content before upgrading.
    - Matched config against new download - is fine.
    - Deleted the wp-content files on remote server - Then browsed to my site and had a blank page but links were still there!
    - Looked in Database for additional users - no new ones.
    - Looked in plugins record and nothing out of ordinary (I think).
    - Deleted all plugins & links still there.
    - Other thing is my .htaccess had changed a couple of days before, I changed it back and changed all ftp passwords.

    Arrrgh! Any ideas? Would be V greatfull! Thanks

  2. billc108
    Member
    Posted 5 years ago #

    Considering that it's after the /body and /html, check your index.php page at the root of your site. That's the most likely place.

    If not there, do a site wide search on all the site files for <div style="display: none;">

  3. Snackmaster
    Member
    Posted 5 years ago #

    Sounds like your site and or WordPress have been hacked.

    See here for excellent tips:
    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    See other with similar issues here:
    http://wordpress.org/search/hacked?forums=1

  4. worldbowler
    Member
    Posted 5 years ago #

    Guys, your're amazing, I totally overlooked the index.php file.

    It contains the hardcoded links and also some base64 code for additional links.

    I got so caught up in the upgrade and checking the database, also as the index is outside of wp- prefixes just totally didn't think.

    Awesome, Im gonna change the index file.

    Im also gonna look at hardening my instal, you think I need to check anything else?

    Thanks a lot!

  5. whooami
    Member
    Posted 5 years ago #

    Im also gonna look at hardening my instal, you think I need to check anything else?

    ya think?

    Of course. Did you read any of the threads in the link above? Did you even read Doncha's post?

    Your site was hacked dude. Read.

  6. webmistressofthedark
    Member
    Posted 5 years ago #

    This hack <u style=’display:none’> continues to this day.

    I think they got into the whole server, because all the sites that were hacked were on one that I use, but not the other .

    Some sites did not have the remv.php file in the themes folder, but in the themes folder the header.php file, accessible from the control panel, was altered.

    Also in the wordpress directory itself one index.php file had some base 64 in the top of it.

    Check for strange users, and also repair your database after you change your password.

    I hope they can fix this exploit!

Topic Closed

This topic has been closed to new replies.

About this Topic