WordPress.org

Ready to get started?Download WordPress

Forums

[Shenanigans] Undesirable links appearing in header.php (10 posts)

  1. elroyel1327
    Member
    Posted 6 years ago #

    Hi everyone,

    I'm sorry if this has been covered -- I searched but was unable to find help -- I've noticed that some spam-tastic links have been appearing in the header.php of my theme.

    The links don't appear when the site is rendered, however they are in the page's source. So the 'hacker' is clearly attempting to stealthily increase their page rankings (the presence of these links also influenced the content of my google ads).

    As soon as I found the links I removed the code from the header.php. Made sure that all the plugins that i'm using are up-to-date and, of course, double checked that I was running the latest WP and that all my files had the correct permissions.

    However, less than 24 hours later the links were back in the header.php - so double checked everything again, and even changed my passwords for my ftp AND WP admin login.... but, guess what! They appeared there again and I have no idea how the file is being accessed and edited.

    I googled a few of the nefarious links was surprised to see how many sites have also been hacked (try for yourself, google: "information phentermine viagra xanax" or "cialis compare levitra viagra" and check out how many of the results are for innocent sites whose source has been modified).

    Anyway, I guess I'm asking for help here - is this a known exploit? If so how do I prevent it from happening again?

    Any assistance is greatly appreciated.

  2. whooami
    Member
    Posted 6 years ago #

    what are the permissions of your themes files?

    777? 666?

    I noticed you are attempting to hide the version of WP you are using -- youre running 2.3.2 :)

  3. elroyel1327
    Member
    Posted 6 years ago #

    The files are set to 644.

    Yeah, I am running 2.3.2 - as I said in my first post - and yeah, I have removed it from the header, as was suggested on one of the many sites I found while attempting to diagnose the problem I outlined above.

    I'm not sure what significance your comment holds. Seriously, is there something wrong with not showing the version number?

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Seriously, is there something wrong with not showing the version number?

    No. It doesn't actually help or anything, but there's nothing wrong with it.

    He may have hacked your core files or left a backdoor in there or got in through a plugin or something. Replace all the WordPress files with fresh ones. Deactivate your plugins and see if they may have known compromises for them before reactivating them. Look through your server logs to see how he's getting in.

  5. whooami
    Member
    Posted 6 years ago #

    no :) and I dont see where you said what version you were running, but I might have missed it.

    The significance of it lies in the version being the most important thing when someone says something about being hacked. Since I dont see it mentioned in your post above -- I went to see on your site.

    Re-reading, I see now that you indicated you are running the "latest" -- I skipped right over that, since its not a version number.

    So I go look, and you have removed it, which is fine, Ive removed mine. There are other ways to get a WP version number though, thats all I was alluding to.

    You mention also checking to make sure yur plugins are up to date.. thats great, if the authors of the plugins have actually taken the time to take care of any security issues.

    Are any of them listed here:

    http://wordpress.org/support/topic/154770

  6. elroyel1327
    Member
    Posted 6 years ago #

    Thanks guys,

    whooami, I'm not using any of the plugins that are listed in the linked post - I wasn't having a go at you about the version number, I was genuinely asking if removing it was an issue.

    Otto42, I'll replace the files as you suggest and see if that prevents it from happening again.

    I'm still curious to know if this is has happened to others here. As I said, I found several exploited sites just by doing a quick google search, but it doesn't seem like there is a known 'hole' or even that other people aware that it's happening.

  7. whooami
    Member
    Posted 6 years ago #

    elroyel1327, I wasnt worried :) If youre curious though, your version # is displayed prominently in all of your feeds :)

  8. elroyel1327
    Member
    Posted 6 years ago #

    AH HA! On following up with Otto42's suggestion I was just running though the files list and comparing it to the default file list from a new install of WP - sure enough there was a wp- prefixed file there that wasn't suppose to be.

    It appears that somehow someone had managed to install a r57shell file on the server (which I've now removed).

    Being that this sort of thing is completely beyond my understanding, how should I go about preventing this from happening again?

  9. whooami
    Member
    Posted 6 years ago #

    Did you happen notice the timestamp on the file? if you did, I would be looking through my apache logs like a fool -- that timestamp would make it much easier to track down.

    Again, thats a root shell exploit, and they are typically accomplished using RFI attacks. They show up in your apache logs.

    The best defense against those is to make sure that everything on your site is secure, and coded properly, and to make sure your host is also running secure software.

    Beyond that, theres always mod_security, upgrading to PHP5 (which closed the hole on most RFIs)

    Theres also plenty of reading:

    http://en.wikipedia.org/wiki/Remote_File_Inclusion

  10. elroyel1327
    Member
    Posted 6 years ago #

    I'll be reading up for sure.

    Thanks for your help with this whooami and Otto42, it's very much appreciated.

Topic Closed

This topic has been closed to new replies.

About this Topic