WordPress.org

1. TurkDaddyFlex
   Member
   Posted 1 year ago #

   If you go to my blog at http://www.bokay.net and scroll to the very bottom you will see a link next to the copyright that says "Acne treatment".

   I have no idea how that got there. I haven't noticed that link in the past so I do believe it is new, but I could just have missed it in the past. I haven't added any plugins recently either.

   I've just skimmed through my theme's code and haven't found anything yet. I'm more concerned with how that ad could have gotten there. Any ideas on if my site got hacked or if it is the product of a plugin? Any recommendations on where to look?

   I'm going to keep digging but I wanted to post here and see if anyone has gotten any experience with this or have had this happen to them.

   Thanks for the help everyone.

2. Samuel B
   moderator
   Posted 1 year ago #

   looks like it's coming from the theme's footer.php

3. TurkDaddyFlex
   Member
   Posted 1 year ago #

   Thats what I thought as well but the foot.php is quite cryptic. Here is the code.
   <?php eval(base64_decode('Pz4gCQ0KCTxkaXYgaWQ9ImZvb3RlciI+DQoJCTxwPkNvcHlyaWdodCA8P3BocCBibG9naW5mbygnbmFtZScpOyA/PiAuIDw/cGhwIGlmKGlzX2hvbWUoKSkgOiA/PjxhIGhyZWY9Imh0dHA6Ly8xYWNuZW1lZGljYXRpb24uY29tLyIgdGl0bGU9IkFjbmUgdHJlYXRtZW50ICI+QWNuZSB0cmVhdG1lbnQgPC9hPjw/cGhwIGVuZGlmOyA/PjwvcD4NCgkNCgk8L2Rpdj4NCg0KPC9kaXY+CQ0KPC9kaXY+DQoJPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+DQo8L2h0bWw+DQogPD8='));?>

   Any idea?

4. govpatel
   Member
   Posted 1 year ago #

   There no harm in deleting that looks like some one hacked and put it there.

5. TurkDaddyFlex
   Member
   Posted 1 year ago #

   Yup, that got rid of the copyright and the AD link, thanks. Any thoughts on how that might have happened?

6. t-p
   Member
   Posted 1 year ago #

   may be you want tothink about hardening your WP installation to reduce the likelyhood of happening this again:

   Tips for hardening your WP installation:
   http://codex.wordpress.org/Hardening_WordPress

7. GotAloha
   Member
   Posted 1 year ago #

   A lot of free theme developers try to force those who use their themes to display a link back to their web site in exchange for providing a free template.

   The odd looking code that you posted above is base64 encrypted code that when decrypted simply renders the usual footer HTML tags.

   Here's what it decrypts into...

   ?>
   	<div id="footer">
   		<p>Copyright <?php bloginfo('name'); ?> . <?php if(is_home()) : ?><a href="http://1acnemedication.com/" title="Acne treatment ">Acne treatment </a><?php endif; ?></p>
   
   	</div>
   
   </div>
   </div>
   	<?php wp_footer(); ?>
   </body>
   </html>
    <?

   If you remove the encrypted code, be sure that you close your HTML tags properly, since the theme's author hid those tags within the encrypted text. Take note that there is also an opening PHP tag as well.

   Hope that helps!

Topic Closed

This topic has been closed to new replies.