WordPress.org

Ready to get started?Download WordPress

Forums

Anti-Malware (Get Off Malicious Scripts)
[resolved] Unauthorised Links Injected (27 posts)

  1. brightonseo
    Member
    Posted 9 months ago #

    Hi Eli

    I downloaded your plugin but I don't know if it will help me.
    I have 3 sites on the same server that have had links inserted into the code and I can't seem to find them in the files.
    I am prepared to donate a small amount as budget is tight but do you know how I can remove the links as they will probsbly damage my sites.

    One for the sites is tenerifeforum.org.es and if you look in the source code, you'll notice this link: http://quick-loans.tripod.co.uk/
    That's the link that was placed in the code without my knowledge.
    I only found out when checking my outbound links.

    Please let me know if you can help.

    Thanks
    Peter

    http://wordpress.org/extend/plugins/gotmls/

  2. vinciandres
    Member
    Posted 9 months ago #

    Same problem here... http://www.memoriavisible.com

  3. brightonseo
    Member
    Posted 9 months ago #

    Looks like the same link.
    Here's what I did to remove it although I don't know if it will come back because it ws injected from plugins, I'm not sure which one.

    1. Install Wordfence plugin
    2. Make sure in plugin options, you select the theme file changes and plugin file changes.
    3. Run scan and when complete, scroll down to results and click on retore file to original for plugin results.
    4. For theme result if any, jus ignore until it changes.

    Check source code again and you'll see that the link is now gone.

    After this I installed Better WordPress Security as well to help hide some files and beef up security for the site.

  4. Eli
    Member
    Plugin Author

    Posted 9 months ago #

    If you can email me with a WP Admin login to your site I will look for the malicious code that is injecting that link.

    Send credentials directly to my email: eli at gotmls dot net

    Aloha, Eli

  5. vinciandres
    Member
    Posted 9 months ago #

    Done.

  6. brightonseo
    Member
    Posted 9 months ago #

    If you let me know how you get on and what you find please share it on this thread as it will be beneficial to me and others with the same problem.

    Thanks

  7. brightonseo
    Member
    Posted 9 months ago #

    I have also sent a Penguin spam report for the link on your site so that's the third one I've reported this week and I've been assured it will be deindexed. :)
    Whoever is doing this is wasting his time and money and everytime i see a link like this, I immediately report it so that it gets blacklisted.

  8. vinciandres
    Member
    Posted 9 months ago #

    Seems like my problem is solve,MUCHAS GRACIAS. :)

  9. Eli
    Member
    Plugin Author

    Posted 9 months ago #

    vinciandres,
    I did remove the links from you theme files but there are more infections that I am still working on.

  10. brightonseo
    Member
    Posted 9 months ago #

    Eli
    I don't think this is a theme problem, it's injected from plugin vulnerability.

  11. vinciandres
    Member
    Posted 9 months ago #

    opps sorry, your administrator acount is ON again... sorry...

  12. vinciandres
    Member
    Posted 9 months ago #

    And thakyou so much!!

  13. brightonseo
    Member
    Posted 9 months ago #

    The bad thing about this hack is that it's likely that there is a backdoor that the hacker has left in place so that they can keep on doing it,

  14. Eli
    Member
    Plugin Author

    Posted 9 months ago #

    vinciandres,
    I was not finished but it looks like you already restricted my admin access to your site so I cannot remove the rest of the treats I found.

    I guess you may want to do this yourself:
    1. There is still a backdoor in wp-includes/cm.php, this file can be deleted but make sure it is no longer included in any other scripts or it could break your site.
    2. Your .htaccess file in the root of the site has a malicious conditional redirect in it, but there is also good code in the bottom of that file.

    There may be other infections but, as I said, I could not finish.

    Aloha, Eli

  15. brightonseo
    Member
    Posted 9 months ago #

    Eli
    Could you have a look at my site to see if there is any file that is compromised?
    I get the feeling you're not interested in what I have to say which saya a lot really.

  16. vinciandres
    Member
    Posted 9 months ago #

    Sorry Eli, i really Sorry, I thought you were done, I do not know how to solve these other infections. I appreciate what you've done so far. I have renewed your administration permissions if you can continue helping me.

    thanks anyway,

    I will donate as soon as i can.

    You are a bless

  17. Eli
    Member
    Plugin Author

    Posted 9 months ago #

    Ok, I just cleaned up those other two files but your site does not come up any more. There is an error somewhere on your site. Can you provide FTP access to your server?

    Please email me directly: eli at gotmls dot net

  18. vinciandres
    Member
    Posted 9 months ago #

    My entire web crash, i will erase all and start from scratch...

    Seems like i need a clean wp instalation.

    i don't know what else to do.

    Bueno, gracias.

  19. Eli
    Member
    Plugin Author

    Posted 9 months ago #

    Sorry brightonseo,
    I have not received any admin credentials for your site (I also have not received any of the notifications from your post, but I do see them here).

    It is hard for me to help two different people on the same thread with two different problems.

    If both of you can please email me directly I can reply accordingly.

    Aloha, Eli

  20. Eli
    Member
    Plugin Author

    Posted 9 months ago #

    vinciandres,
    I see that you have reloaded your site. Is everything working correctly? No sign of malware?
    ----------------------------------------------------------------------
    brightonseo,
    I still have not heard from you. Can you email me directly? I would like to look at your site too.

    I don't know why I have not gotten email notifications of your posts here on this forum but I have replied an I am still waiting to hear how I can help you.

    Aloha,
    Eli

  21. brightonseo
    Member
    Posted 9 months ago #

    Hello Eli

    I'll get back to you in a while, just sorting out some things.:)

  22. vinciandres
    Member
    Posted 9 months ago #

    Seems to be fine. Any clue about the source of infection? Is a plugin?

  23. Eli
    Member
    Plugin Author

    Posted 9 months ago #

    brightonseo,
    I see that you have rated my plugin with only one star. I would take this to mean that you are unsatisfied with either my plugin or my service. I would like to point out that I have offered to help you with your issue (just as I do with anyone who contacts me for help), and I would also like you to keep in mind that this is a free plugin that I have worked very hard on and I give away my time to helping people clean up their sites. I also have work and a family but I really try to give my best effort to everyone who needs my help.

    I know you said you have some things to "sort out" but I am here and ready to help you whenever you are ready. I think you and vinciandres have different infection and vinciandres's infection was in his theme. I think that infection came from another site on the same server, but I cannot be sure. I will not know anything about yours until I can see it but I would very much like the opertunity to find it. I add every new threat that I find to my definition update so that it may be removed automatically in the future. If I can see your infected files it will help me to engineer an automatic fix for them. I'm not sure how you got the impression that I was ignoring you because many of my posts (including my firs one) where for you as well but please concider giving me another chance to help you.

    Aloha, Eli

  24. brightonseo
    Member
    Posted 9 months ago #

    Eli

    When I wrote the review I was extremely annoyed that although I started this thread, I was ignored and it was almost as if I never asked a quesrtion.
    I don't know how to remove the review so if you have any idea then feel free to let me know and I will remove it as it doesn't say a lot anyway.

    The site seems clean as my host ended up helping me but I don't know if the malicious code will return so I just have to monitor it.
    There was obviously some misunderstanding in this thread and with you not receiving notifications of my posts, is it any wonder.

    Aloha
    Peter

  25. vinciandres
    Member
    Posted 9 months ago #

    Hi Eli,

    I erased the web pages related to the same data base.
    Other data bases are related to the same user.

    There is a risk for the others sites and web pages related to them?

    Gracias por la ayuda.

  26. Eli
    Member
    Plugin Author

    Posted 9 months ago #

    Peter,
    I'm glad you got your site clean and it's good to hear that your hosting provider was helpful (honestly many host aren't very helpful at all when it comes to removing infections).
    It bothers me that I never received any notification of your posts (especially when I was getting every notification of vinciandres' posts). I did not even know that your topic had been created until vinciandres posted his first entry. If you would be willing to send me a test email directly then we would both know that you could contact me directly if you ever need help in the future. My direct email is eli at gotmls dot net

    Every should also know that if you are hosting your site on a shared server with other sites and any one of them gets infected it can spread around to all the sites on the host and sometime come back to reinfect your site again.

    I am marking this topic resolved, but both of you should keep a close eye on your sites for any signs of reinfection, and feel free to contact me directly anytime.

    You can also try posting a comment or a forum topic on my own site gotmls.net

    Aloha, Eli

  27. brightonseo
    Member
    Posted 9 months ago #

    Thanks Eli
    You're a gentleman.:)
    I have WordFence installed and every now and then is notifies me of a change in plugin files so I just select restore to original files.
    I have since moved the main site to another host which seems better organised ans above all, is not unlimited use so there should be less abuse on the server.
    WordPress seems to be taking a pounding these days and although I have all security in place, I still get attempted logins to access files that don't exist because they are hidden from the bots.
    Maybe the only thing left to do now is to change the url of the login page.
    Is that a good idea Eli or should I just ignore it?

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.