WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Spam insertion. (5 posts)

  1. kurnmogh
    Member
    Posted 10 months ago #

    Hi there. I had a bad PHP insertion attack on my site a few months ago. I asked my host to roll me back to a previous state, which seemed to solve the issue. However, I finally got around to trying to ask Google to remove the "This site may be compromised" notation and they informed me that my site was rife with spam. I saw it was, once I used Google Webmaster Tools to fetch as google, though it remains hidden from me on my regular browser. I am fairly certain I've almost gotten everything at this point, but there is SOMETHING that is still appending itself to "the_content" on my most recent post. (I tested this by adding a test post, the spam appended itself to that, then re-appended itself to the other most recent post when I deleted the test post.)

    I've managed to isolate that it IS in "the_content" by putting in comments above and below where I thought it was happening and my entire post is between those comments, along with the spam.

    Here's what I'm talking about:

    <!-- WHERE THE SPAM IS??? -->
    
    <p> MY POST CONTENT </p>
    <div align=right style="width:20px; overflow:hidden; height:14px;">&nbsp; &nbsp; &nbsp; <div><ul><li>Our residence on a sunday evening for a powerpoint presentation on the holiday we had approached the hdfc bank who also retorted that they were helpless we also to <a href="http://www.wearelibrarians.com/wp-content/uploads/2012/01/expansion/autosclasicosmexico.html">hdfc bank credit card</a> to make a stop payment for the same. Just saw this superb viral video on youtube for hdfc bank credit card i must say its a. Www hdfcbank com applications misc rewardcatalog cc rewards asp hdfc bank credit card reward points catalogue ecocho.</li><li>How <a href="http://www.wemautoparts.com/wp-content/uploads/joining/refinement/19postbankruptcy.html">can i get</a> a perkins pre loan interview form. Transfers from your credit card will be treated as a cash advance and may only mastercard and visa consumer credit card customers have access to the how can i get a copy of my credit card statement. Where can i get a credit card with high interestr.</li><li>Add person home title paying mortgage that person can <a href="http://blog.cunysustainablecities.org/wp-content/gallery/supplement/expansion/paydaycashloan.html">take out a loan</a> on the property, remodel, tear it down or even sell the. And so many students will reluctantly take out a loan to pay for all of your remaining student debts will be paid off in full by the loan consolidation philippine travel destinations seo services philippines. You can still take out a loan without needing the check to be deposited into your account.</li><li>Make mortgage rate and other comparisons with up to three different. Check to see if you can have the owner finance rv payments for you. Results for payday loans in il get instant pay day loans, no credit checks, and no hassles <a href="http://museumsmatter.com/wp-content/themes/existing/backup/90dayloan.html">90 day title loan</a>.</li><li>Concluding the agreement with <a href="http://www.jennifermanningplassnig.com/wp-content/cache/accessory/attachment/prepaiddebitcard.html">no teletrack payday loan direct lenders</a> lender pay do not be depressed and apply for the no teletrack payday loan lenders. Jan no teletrack payday loan direct lenders help out people who have you give out on the lenders website is kept safe and secure. Concluding the agreement with no teletrack payday loan direct lenders lender want to get sum up to dollars to your bank account by tomorrow.</li></ul></div></div>
    
    <!-- WHERE THE SPAM IS??? -->

    My index.php in my template looks like this:

    <!-- WHERE THE SPAM IS??? -->
    
            <?php the_content('Read the rest of this entry &raquo;'); ?>
    
    <!-- WHERE THE SPAM IS??? -->

    Any ideas? I know Blackhat SEO was part of my problem, but I wasn't seeing this level of insertion with that. That had a new column on the far-right of the page with links to pharma stuff. So anyone have any clue? Ideas? Tips? Tricks? How is it appending itself to the most recent entry? Thanks for any help you can provide.

  2. kurnmogh
    Member
    Posted 10 months ago #

    Any ideas from anyone about this? Thanks very much in advance.

  3. kurnmogh
    Member
    Posted 10 months ago #

    Just FYI, the WP addon "Wordfence" tracked down the bit of code that was being inserted and also found three backdoors I'd missed. Great addon. Problem solved, everything seems secure.

  4. Krishna
    Volunteer Moderator
    Posted 10 months ago #

  5. kurnmogh
    Member
    Posted 10 months ago #

    I'd already done pretty much all of that, I just couldn't find the bit of code that was inserting something right after my "the_content". My site was coming up as clean on sucuri and unmaskparasites, but it wasn't, because I still had that bit of code. I used Wordfence, as mentioned, which helped me restore 2 changed WP core files to their original copies, helped me delete one file that didn't belong there at all AND removed the code in another file which was adding the spam text.

    Since then, I've also changed my login PW, my shell/FTP PW and even my DB password (and subsequently, obviously, changed my WP config as well).

    Everything checks out on all scanners, including Fetch as Google. So yeah, problem solved because of the three days of hunting I did prior to posting last night and then because of Wordfence's awesome tool.

Reply

You must log in to post.

About this Topic