Support » Fixing WordPress » A new spam hack – including on

  • Hi,
    I found that my website was hacked!
    It starts on the HTML body with javascript function xViewState()
    and follows with a lot of invisible spammy links wrapped with <p class=”nemonn”>. (can be seen only through view source)

    The thing is – I found it on as well!!
    I just removed it through the code editor so it doesn’t appear anymore. If you google the line above you will find it on more websites built on wordpress, for example.

    I have no idea when this code was injected. I have the latest version of wordpress, yet I have waited a bit before upgrading to it (couple of weeks)

    Does anybody know what it is and how it got to the system?
    Thanks in advance!

    UPDATE: it seems not to be the first time. It was also reported on August 2012 for Joomla:

Viewing 12 replies - 1 through 12 (of 12 total)
  • Thread Starter sumsuman


    I didn’t mention that I found it on header.php on my theme directory.

    I also found this code in a client’s header page from a custom theme.

    This is what I have found out about “nemonn”

    Just removing the obfuscated javascript from the header will not work permanently.

    There will be an additional base64 coded file elsewhere (the backdoor)- and possibly more than one. They seem to be located in the core wp-admin directory and are randomly named but seem to follow the update-randomname-randomname.php taxonomy.

    Just updating / reinstalling WordPress from the admin won’t remove this file.

    Additionally you should follow guidance given elsewhere for changing ALL passwords (FTP, database and WordPress admins) and follow instructions for Hardening WordPress.

    I also just found this script in two WP instalations that both used the same Template. The Header file in each was hacked with the nemonn code.

    Now removed from the header. All passwords noe changed and looking at Hardening.

    Thread Starter sumsuman


    I found a base64 code, under the name update-frazer-importance.php, under /wp-admin/includes

    Antivirus detected the file as PHP/Kryptik.AB trojan.

    I understand now the reason why I did not find it on Twenty-Eleven themes – since I updated those themes regularly, the infected header.php was probably replaced in the new version.

    Thread Starter sumsuman


    My sites were hacked again in the same way… Now a new form, with a changing class (not necessarily “nemonn”). Spammy code block now start with:
    <script language="JavaScript">function xtrackPageview
    followed by regex and then a spammy link.

    Again, only custom themes’ header.php was hacked, not TwentyEleven themes.

    First time after my sites were hacked I moved to secure FTP connection. That wasn’t the reason apparently, now I am taking extra security measures. We’ll see.

    If you have been hacked, you need to go through all of these resources – if it’s a repeat hack, you may not have gotten rid of the vulnerability or your server may have also been the source. If it was a custom theme, consider changing themes.

    Additional Resources:

    Thread Starter sumsuman


    Thank you for the links, didn’t know all of them.

    Unfortunately I have no possibility of changing the theme. I have to keep trying, and eventually contact theme creator, but this is only after I checked my own server. Perhaps it is Godaddy shared hosting that creating the vulnerability.

    I am still curious how come only non-wp themes were hacked, though.

    From what we have seen here, yes, GoDaddy servers have been hacked recently. You should check with them if you have further questions about your site. Those themes were likely not coded correctly or perhaps are using insecure plugins — which is why we recommend only using themes that meet WP standards and always update your WP, themes and plugins as soon as possible.

    If it is, in fact, your theme that has a security issue, you might rethink using it:

    Same here. Using WP version 3.5.1 with the a custom theme (from a trusted source) on Godaddy.

    Installed Plugins include… (not saying any of these are at fault)

    Easy Contact
    Hello Dolly
    Jetpack by
    W3 Total Cache
    Widget Logic
    WordPress Importer
    Yoast Breadcrumbs

    Aside from the modified header.php file, the one suspicious file I found is named wp-comments-get.php in the base directory. It’s 871 bytes and has mostly lines of code that look like this…

    [Spam code removed – please do not post that here]

    To start with, I plan on clening the spammy stuff from the header.php file and deleting the file named wp-comments-get.php. Then, I suppose I’ll delete most of those plug-ins and keep a sharp eye out for any re-ocurrences.

    I have several WP installs on my GoDaddy shared hosting have been having this issue for a few months now. I am using themes that I generate with Artisteer.

    Always in the theme header (or a simular hack always in the theme functions.php) file. Never in the twenty-whatever themes.

    The really strange thing to me is that the header.php (or functions.php) file timestamp of when it was last changed doesn’t change… the hacked code just appears in the file… I don’t understand this.

    Is this a GoDaddy issue? One of the plug-ins? Artisteer themes?


    @steveax: As per the Forum Welcome, please post your own topic. Posting in an existing topic prevents us from being able to track issues by topic. Added to which, your problem – despite any similarity in symptoms – is likely to be completely different.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘A new spam hack – including on’ is closed to new replies.