WordPress.org

Ready to get started?Download WordPress

Forums

Trying to identify source file for hack (5 posts)

  1. bswb97
    Member
    Posted 1 year ago #

    I'm working on a site for our local school and it's been hacked with hidden spam code. It shows up in the page's source code right above the wrapper and container divs. See http://www.miravistaschool.com. It's on every page or post.

    I've checked the Header and Index files of my theme and see nothing out of sorts. I've also tried switching to the native 2012 theme and it still exists. I've also switched off all plugins and it didn't change anything.

    I updated to v3.6 and that didn't change anything. I ran WordFence and it did not detect any file anomalies.

    I've run through several hack cleanup tutorials and it looks like I've run through the checklist of standard things to do. Any other suggestions on locating the source file of the hack before I do a fresh file install? What really confuses me is that if it IS malicious code inside a file, wouldn't WordFence pick it up?

  2. I'm working on a site for our local school and it's been hacked with hidden spam code.

    Not good.

    I've checked the Header and Index files of my theme and see nothing out of sorts.

    You really need to get fresh copies of everything were possible. All of your files are suspect now.

    This is often quoted but really is the right response to your problem.

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

  3. ReneODeay
    Member
    Posted 1 year ago #

    in the source code of your index file right under the body tag there is a div with class="y_letup"
    and right after that is the P with the spam injection.
    so I would look in your style CSS files for this injection.

    and have been having similar problems, so can relate on how hard it is to find this bloody code. 7 months now for one of my formerly popular blogs.

    I thought your site looked okay, until I pulled up your page info and found the malicious links, then looked at the source code.

    considering how many plugins, with style sheets, you got a lot of style sheets to look at.
    good luck.
    René

  4. bswb97
    Member
    Posted 1 year ago #

    I've done the less-nuclear path of deleting and clean installing the WP files in the root directory, wp-includes folder, and wp-admin folder. It's still showing up (made sure I used a cache-less browser).

    In this case, I didn't touch the wp-content folder. However, prior to this, I did deactivate all plugins and switch themes and it still showed up. Where else could this possibly be? Is it possible the MySQL database is corrupted? And if so, would an XML export of page/post content still contain this?

    This is a shared GoDaddy account with another non-WP user. Is it possible that the malicious script was put in that way?

    Thanks! Talk about frustrating!

  5. ReneODeay
    Member
    Posted 1 year ago #

    Since I have the same infestation, but only on one of my WordPress blogs, I can totally relate to your frustrations.

    I've done every search, thru database, and just about all files, etc. and have come to the conclusion that it is WordPress.
    When you have thousands of files and included addons like SimplePie, etc., just in the plain install, it is just about impossible to find any little blinking thing.
    and google is the worst for the pharma hacks, serving them up just for the most popular sites, then spamming your gmail and other mail thru your history. and any google scripts you add.

    Yeah, you can PAY someone to clean it up, but then you got to wonder if they are the ones who injected the malicious code in the first place.

Topic Closed

This topic has been closed to new replies.

About this Topic