WordPress.org

Ready to get started?Download WordPress

Forums

Have I Been Hacked? "WE DID 0 QUERIES" suddenly in footer (23 posts)

  1. tmedler
    Member
    Posted 4 years ago #

    I am using 2.8.2 with slightly modified Fluid Blue theme. Still in development mode, so I haven't worried about security to much.

    This morning, a mystery "WE DID 0 QUERIES" started showing up at the top of my footer. After reviewing the "View Source", it appears to be getting added before the footer processes.

    I can't find anything resembling this phrase in any of my files or database tables (could it be a feed has been injected).

    A web search on "WE DID 0 QUERIES" came up with a couple of other sites with the exact same thing.

    An "Upgrade" folder suddenly appeared in my wp_content tree and it looks like someone may have looked at my .htaccess

    Other than upgrading to 2.8.4...any ideas?

  2. tmedler
    Member
    Posted 4 years ago #

    To follow up, it definitely has the signature of being hacked:

    http://www.stlucaslcms.org

    Upgrading to 2.8.4, deactivating all plugins and changing to the default theme didn't change anything.

    There is a "get_num_queries()" call in the footer for all of my themes, but it is not in the right place for where this is showing up.

    I can't find where this is coming from anywhere!

  3. figaro
    Member
    Posted 4 years ago #

    Even if it's a feed, it's got to be in your code or db...it can't be appearing magically. Did you check the footer.php file? Also, are there any other, additional, files in your install? How did you search the db...dump it as an sql file and search it?

  4. tmedler
    Member
    Posted 4 years ago #

    I searched a dump and didn't find anything. I should note that it is very full of garbage for something that hasn't been up for very long.

    It appears that whatever is there is getting added in the main content block.

  5. tmedler
    Member
    Posted 4 years ago #

    Whatever this is...it is spreading.

    A new google search this morning comes up with about 10 different sites with the "WE DID 0 QUERIES" at the bottom.

  6. Samuel B
    moderator
    Posted 4 years ago #

  7. whooami
    Member
    Posted 4 years ago #

    now THIS is interesting.

    youre right, ive found 3 seperate wp blogs, all at 2.8.4, all on different servers, all different themes, and they have the same code when you view the source,

    <div id="footer">WE DID 0 QUERIES<br /></div>

    I would LOVE to take at a look at your files.

    and thats not the same, samboll. THAT thread is about a very specific hack.

  8. Samuel B
    moderator
    Posted 4 years ago #

    now THIS is interesting

    are you talking about the o queries deal?
    I just searched it - wow

  9. whooami
    Member
    Posted 4 years ago #

    I contacted the developer for one of the sites I found -- he looks like he knows wordpress so im guessing he can find the code.

  10. whooami
    Member
    Posted 4 years ago #

    tmedler, what is around, code-wise, the get_num_queries you see in your themes? since you mention its in all your themes, thats quite suspect.

    I checked fluid-blue, its there, and in the wrong spot and not wrapped the same,

    <!-- <?php echo get_num_queries(); ?> queries. <?php timer_stop(1); ?> seconds. -->
    	<?php wp_footer(); ?>
  11. whooami
    Member
    Posted 4 years ago #

    that should be at the VERY start of your footer.php or the last thing in your sidebar.php, tmedler

    I compared a copy of your theme to whats displayed on your site.

  12. tmedler
    Member
    Posted 4 years ago #

    I deleted the "get_num_queries" and it is still there. I also have another theme installed that didn't have that code in the footer and it still shows up.

  13. tmedler
    Member
    Posted 4 years ago #

    It also shows up in clean uploads of the default and classic themes.

  14. jonasamos
    Member
    Posted 4 years ago #

    i've been getting a magical "viagra" link at the top of my header and it was nowhere in my theme coding. my host actually found it in my wordpress database.

    i deleted the coding but every once ina while it will reappear. havent found out how to get rid of it for good yet.

  15. tmedler
    Member
    Posted 4 years ago #

    Fortunately, I'm not too far along whre I can't just blow everything up and start over with a fresh 2.8.4 and fresh database.

  16. Bill Robbins
    Member
    Posted 4 years ago #

    One of my clients was hacked. The code shows up in the <?php get_footer(); ?> command. I reloaded WordPress 2.8.4, but that didn't fix the issue. I changed the <?php get_footer(); ?> to <?php include(TEMPLATEPATH."/footer.php");?> to remove the sign of the attack until I can find and remove it. Hope that helps somebody.

  17. whooami
    Member
    Posted 4 years ago #

    hey bill, I knew you would find it :)

    wp-includes/general-template.php perhaps? hmm, plugin, database...

  18. tmedler
    Member
    Posted 4 years ago #

    Thank you for the workaround!

    Now to figure out how get_footer is getting redirected. My thought is that it must be an outside url, as the text "WE DID" is not in any of my files and is not anywhere in my database.

  19. tmedler
    Member
    Posted 4 years ago #

    Please forgive me, as I really have little idea of what I am doing in web development and php. However, I need to have an .htaccess in my root directory to force PHP 5. Should all of the following be in there?:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    I was wondering about the ReWrite rule...

  20. whooami
    Member
    Posted 4 years ago #

    yes, thats fine, tmedler

  21. Bill Robbins
    Member
    Posted 4 years ago #

    Have any of you used this plugin

    http://wordpress.org/extend/plugins/wordpress-event-calendar

    and experienced this issue?

    I was working on a local installation and received the "WE DID 0 QUERIES" when I activated the plugin. Deactivating the plugin removed the code. I'm certain that is what caused the issue with my client site as they're still searching for the perfect event calendar.

  22. whooami
    Member
    Posted 4 years ago #

    looking at the sites in google, that looks like it may be the cause.

    http://www.vancouvercap.org/?page_id=19

    was one site, for instance.

  23. kitkaplan
    Member
    Posted 3 years ago #

    I don't use the plugin and I'm using a modified default theme at energeticempowerment.org and I got Viagra keywords in my footer. I don't know any php. I host w yahoo. Can this be a host related issue?

Topic Closed

This topic has been closed to new replies.

About this Topic