Hacked – what is showing on my startpage?

Skrollen
(@skrollen)

10 years, 2 months ago

Hi, my website skrolla.se was hacked today. I’ve removed about 10 000 html files placed on my server, and changed all my passwords. However my frontpage is still a hacked page, and I don’t know what to change to make my website show my real front page instead. Any ideas? All help very welcome!

Viewing 4 replies - 1 through 4 (of 4 total)

Moderator t-p
(@t-p)

10 years, 2 months ago

carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
Thread Starter Skrollen
(@skrollen)

10 years, 2 months ago
Thank you for your response, I’ve followed a lot of those steps and have been able to solve some of my issues. Mostly thanks to Anti-Malware plugin which identified some of my infected website files.

However, I see this code in my website source:
```
<span style="position: absolute; left: -3938px; top: -2552px">
<a href="http://online-installment-loans.com">payday loans</a>
<a href="http://online-installment-loans.com">payday loans online</a>
<a href="http://online-installment-loans.com">online payday loans</a>
<a href="http://online-installment-loans.com">online loans</a>
<a href="http://online-installment-loans.com">installment loans</a>
<a href="http://online-installment-loans.com">payday loan</a>
<a href="http://online-installment-loans.com">spot loan</a>
<a href="http://online-installment-loans.com">loans online</a>
<a href="http://online-installment-loans.com">cash loans</a>
<a href="http://online-installment-loans.com">payday advance</a>
<a href="http://online-installment-loans.com">online installment loans</a>
</span>
```
I have no idea how to remove it, is there a way to find out what WordPress file is putting this code on my website?
Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

10 years, 2 months ago

As Tara already posted above, please remain calm and carefully follow this guide.

When you’re done, you may want to implement some (if not all) of the recommended security measures.

perezbox
(@perezbox)

10 years, 2 months ago

Hi

You’re suffering from what is known as Search Engine Poisoning (SEP). There is something being appended to your pages. Without accessing the environment it’s difficult to say exactly where it’s loading from, but take some time to do a search in your database.

A cool little trick is to do a search in your posts / pages using wp-admin to look for things like “payday loadns” “online payday loans”. This will only work if the payload is not encrypted, if it is it’ll be a bit trickier.

Here are a few articles that might help you:

https://blog.sucuri.net/2013/02/payday-loan-spam-affecting-thousands-of-sites.html

https://blog.sucuri.net/2014/11/combat-blackhat-seo-infections-with-seo-insights.html

https://blog.sucuri.net/2014/02/not-just-pills-or-payday-loans-its-essay-seo-spam.html

Each one talks to different forms of Blackhat SEO campaigns. Here is another write up that might be helpful: https://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html

Best of luck

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Hacked – what is showing on my startpage?’ is closed to new replies.

Hacked – what is showing on my startpage?

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics