WordPress.org

Ready to get started?Download WordPress

Forums

Strange code in feeds (23 posts)

  1. cellobella
    Member
    Posted 6 years ago #

    Hi,

    I've noticed some weird question marks appearing in my feeds.. eg: phone??available

    So I tried to validate my feed and I found a whole bunch of weird code among all the errors:

    Line 321, Column 4: XML Parsing Error: Extra content at the end of the document.
    <div><script>var enkripsi="'1Afkt'02qv{ng'1F'00fkqrnc{'1Clmlg'1@'00'1G"; tek

    So my question is... is that weird code causing the question marks? And how do I get rid of it anyway?

    http://redsultana.com

  2. moshu
    Member
    Posted 6 years ago #

    That should be a lesson not to use "sponsored themes"!
    Delete all that crap links from your footer.php - it is full of links to porno sites :(

  3. cellobella
    Member
    Posted 6 years ago #

    Hey Moshu - nice to talk to you again!

    It was a theme sourced from the WordPress site - and then tweaked :)

    Anyway... this is the code from the footer:

    <div style="clear:both;"></div> </div> <div id="footer"> <p>Copyright &copy; <?php echo date("Y"); ?> <a title="Copyright">/"><?php bloginfo('name'); ?></a>  |  Created by <a title="The support page for your theme." href="http://milo.peety-passion.com/">milo</a><a title="Custom themes" href="http://insomnia.peety-passion.com/">IIIIVII</a> | <a title="Designfruitâ„¢ provides resources and inspiration for designers." href="http://www.designfruit.com/">Brushes</a> | <?php wp_loginout(); ?></p> </div> <?php do_action('wp_footer'); ?><script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
    </script>
     </body> </html>

    Which bit should I delete?

  4. moshu
    Member
    Posted 6 years ago #

    | Created by miloIIIIVII | Brushes |

    EVERYTHING between the bloginfo(name) - and wp_loginut!

  5. cellobella
    Member
    Posted 6 years ago #

    I've deleted nearly all of the footer but the errors are still there... could it be something else?

    This is what the footer page says now: <div style="clear:both;"></div> </div> <div id="footer"> <p>Copyright © SultanaBlog. Thanks for visiting. </p> </div>
    </body> </html>

  6. cellobella
    Member
    Posted 6 years ago #

    The question marks in the feed occur in the middle of posts... would it be the same problem?

  7. Jeremy Clark
    Moderator
    Posted 6 years ago #

    Instead of using the builtin theme editor try using a good ol text editor (NOT WORD) on the footer.php and see if you can spot the code then.

  8. moshu
    Member
    Posted 6 years ago #

    Ah, that thing is more evil than I thought!
    It is using some script to insert the garbage. Did you download it recently from http://themes.wordpress.net ? or a long time ago?

    Pack the theme in a zip and send it over to my-name-here AT transycan net

  9. moshu
    Member
    Posted 6 years ago #

    Again: do not worry about the feeds now... you have a million links there to nasty ugly porno sites! THAT's the problem, not the feeds.

  10. cellobella
    Member
    Posted 6 years ago #

    I'm using wordpad but just checked in notepad and it says the same as my last post...

  11. cellobella
    Member
    Posted 6 years ago #

    Thanks Moshu - will do.

    I found the theme here: http://themes.wordpress.net/columns/3-columns/3053/beauty-50/

    And downloaded about 10 days ago.

    CB

  12. Jeremy Clark
    Moderator
    Posted 6 years ago #

    Moshu could it be that maybe it is not the theme it self but that code has been inserted in the wp-footer itself.

    Edit: Just had a look at the theme and didn't see anything funny in the footer or sidebars or index.

  13. cellobella
    Member
    Posted 6 years ago #

    That's interesting Jeremy, I can't find a wp-footer file... should it sit under the main wordpress folder?

  14. moshu
    Member
    Posted 6 years ago #

    Actually, I have to apologize to the theme author(s). It is NOT the theme.
    It is your site/blog that has been compromised.

    Do you have wrold writable files (like online theme editing)? Stop doing it.
    Change your passwords.
    Report to your host!
    Check out your source code to see what I am talking about!

  15. cellobella
    Member
    Posted 6 years ago #

    What are wrold writable files?

  16. moshu
    Member
    Posted 6 years ago #

    chmod 666

  17. cellobella
    Member
    Posted 6 years ago #

    Okay. I'll check them out.
    Thanks for your help.

  18. cellobella
    Member
    Posted 6 years ago #

    I can't see any but will report to my host and get them to do a more thorough search.

  19. moshu
    Member
    Posted 6 years ago #

    But did you see the script and links in your source code?

  20. cellobella
    Member
    Posted 6 years ago #

    Oh yes!!! Frightening.

    I've emailed my host but I'm wondering what to look for to clean it out in the meantime. Any ideas?

    CB

  21. Jeremy Clark
    Moderator
    Posted 6 years ago #

    First worry about stopping further attacks from happening while your host is looking into.

    http://codex.wordpress.org/Hardening_WordPress

  22. moshu
    Member
    Posted 6 years ago #

    You can check the "short and sweet" index file in the root WP install. Sometimes it is there.

    Or, it might be an unusual filename somewhere on your server (something that you know you didn't upload...)

    The worst case scenario is that your database has been compromised and the ugly script is there.

  23. Milo
    Member
    Posted 6 years ago #

    Thank you, with over 260000 downloads I'm sure I don't do any sponsor themes or insert scripts.
    btw: the nasty links are still appearing...

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags