Title: A new spam hack – including on wordpress.org
Last modified: August 20, 2016

---

# A new spam hack – including on wordpress.org

 *  [sumsuman](https://wordpress.org/support/users/sumsuman/)
 * (@sumsuman)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/)
 * Hi,
    I found that my website was hacked! It starts on the HTML body with javascript
   function xViewState() and follows with a lot of invisible spammy links wrapped
   with <p class=”nemonn”>. (can be seen only through view source)
 * The thing is – I found it on wordpress.org as well!!
    I just removed it through
   the code editor so it doesn’t appear anymore. If you google the line above you
   will find it on more websites built on wordpress, for example. wordpress.org/
   support/topic/theme-meeta-how-to-remove-popular-posts-tags-in-header?replies=
   11
 * I have no idea when this code was injected. I have the latest version of wordpress,
   yet I have waited a bit before upgrading to it (couple of weeks)
 * Does anybody know what it is and how it got to the system?
    Thanks in advance!
 * UPDATE: it seems not to be the first time. It was also reported on August 2012
   for Joomla:
    [http://forum.joomla.org/viewtopic.php?f=621&t=754466](http://forum.joomla.org/viewtopic.php?f=621&t=754466)

Viewing 12 replies - 1 through 12 (of 12 total)

 *  Thread Starter [sumsuman](https://wordpress.org/support/users/sumsuman/)
 * (@sumsuman)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239061)
 * I didn’t mention that I found it on header.php on my theme directory.
 *  [blogical](https://wordpress.org/support/users/blogical/)
 * (@blogical)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239128)
 * I also found this code in a client’s header page from a custom theme.
 *  [willt87](https://wordpress.org/support/users/willt87/)
 * (@willt87)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239168)
 * This is what I have found out about “nemonn”
 * Just removing the obfuscated javascript from the header will not work permanently.
 * There will be an additional base64 coded file elsewhere (the backdoor)- and possibly
   more than one. They seem to be located in the core wp-admin directory and are
   randomly named but seem to follow the update-randomname-randomname.php taxonomy.
 * Just updating / reinstalling WordPress from the admin won’t remove this file.
 * Additionally you should follow guidance given elsewhere for changing ALL passwords(
   FTP, database and WordPress admins) and follow instructions for Hardening WordPress.
 *  [tangoev](https://wordpress.org/support/users/tangoev/)
 * (@tangoev)
 * [13 years, 5 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239193)
 * I also just found this script in two WP instalations that both used the same 
   Template. The Header file in each was hacked with the nemonn code.
 * Now removed from the header. All passwords noe changed and looking at Hardening.
 *  Thread Starter [sumsuman](https://wordpress.org/support/users/sumsuman/)
 * (@sumsuman)
 * [13 years, 5 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239194)
 * I found a base64 code, under the name update-frazer-importance.php, under /wp-
   admin/includes
 * Antivirus detected the file as PHP/Kryptik.AB trojan.
 * I understand now the reason why I did not find it on Twenty-Eleven themes – since
   I updated those themes regularly, the infected header.php was probably replaced
   in the new version.
 *  Thread Starter [sumsuman](https://wordpress.org/support/users/sumsuman/)
 * (@sumsuman)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239199)
 * My sites were hacked again in the same way… Now a new form, with a changing class(
   not necessarily “nemonn”). Spammy code block now start with:
    `<script language
   ="JavaScript">function xtrackPageview` followed by regex and then a spammy link.
 * Again, only custom themes’ header.php was hacked, not TwentyEleven themes.
 * First time after my sites were hacked I moved to secure FTP connection. That 
   wasn’t the reason apparently, now I am taking extra security measures. We’ll 
   see.
 *  [WPyogi](https://wordpress.org/support/users/wpyogi/)
 * (@wpyogi)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239200)
 * If you have been hacked, you need to go through all of these resources – if it’s
   a repeat hack, you may not have gotten rid of the vulnerability or your server
   may have also been the source. If it was a custom theme, consider changing themes.
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Additional Resources:
    [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/)
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 *  Thread Starter [sumsuman](https://wordpress.org/support/users/sumsuman/)
 * (@sumsuman)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239201)
 * Thank you for the links, didn’t know all of them.
 * Unfortunately I have no possibility of changing the theme. I have to keep trying,
   and eventually contact theme creator, but this is only after I checked my own
   server. Perhaps it is Godaddy shared hosting that creating the vulnerability.
 * I am still curious how come only non-wp themes were hacked, though.
 *  [WPyogi](https://wordpress.org/support/users/wpyogi/)
 * (@wpyogi)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239202)
 * From what we have seen here, yes, GoDaddy servers have been hacked recently. 
   You should check with them if you have further questions about your site. Those
   themes were likely not coded correctly or perhaps are using insecure plugins —
   which is why we recommend only using themes that meet WP standards and always
   update your WP, themes and plugins as soon as possible.
 * If it is, in fact, your theme that has a security issue, you might rethink using
   it:
 * [http://www.chipbennett.net/2010/12/10/only-download-wordpress-themes-from-trusted-sources/](http://www.chipbennett.net/2010/12/10/only-download-wordpress-themes-from-trusted-sources/)
 *  [cbede](https://wordpress.org/support/users/cbede/)
 * (@cbede)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239207)
 * Same here. Using WP version 3.5.1 with the a custom theme (from a trusted source)
   on Godaddy.
 * Installed Plugins include… (not saying any of these are at fault)
 * AdRotate
    Akismet Easy Contact Hello Dolly Jetpack by WordPress.com W3 Total 
   Cache Widget Logic WordPress Importer WP-PageNavi Yoast Breadcrumbs
 * Aside from the modified header.php file, the one suspicious file I found is named
   _wp-comments-get.php_ in the base directory. It’s 871 bytes and has mostly lines
   of code that look like this…
 * _[Spam code removed – please do not post that here]_
 * To start with, I plan on clening the spammy stuff from the header.php file and
   deleting the file named wp-comments-get.php. Then, I suppose I’ll delete most
   of those plug-ins and keep a sharp eye out for any re-ocurrences.
 *  [SteveAx](https://wordpress.org/support/users/steveax/)
 * (@steveax)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239208)
 * I have several WP installs on my GoDaddy shared hosting have been having this
   issue for a few months now. I am using themes that I generate with Artisteer.
 * Always in the theme header (or a simular hack always in the theme functions.php)
   file. Never in the twenty-whatever themes.
 * The really strange thing to me is that the header.php (or functions.php) file
   timestamp of when it was last changed doesn’t change… the hacked code just appears
   in the file… I don’t understand this.
 * Is this a GoDaddy issue? One of the plug-ins? Artisteer themes?
 * Thoughts?
    Steve
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239209)
 * **[@steveax](https://wordpress.org/support/users/steveax/)**: As per the [Forum Welcome](http://codex.wordpress.org/Forum_Welcome#Where_To_Post),
   please [post your own topic](http://wordpress.org/support/forum/how-to-and-troubleshooting#postform).
   Posting in an existing topic prevents us from being able to track issues by topic.
   Added to which, your problem – despite any similarity in symptoms – is likely
   to be completely different.

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘A new spam hack – including on wordpress.org’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 12 replies
 * 8 participants
 * Last reply from: [esmi](https://wordpress.org/support/users/esmi/)
 * Last activity: [13 years, 4 months ago](https://wordpress.org/support/topic/a-new-hack-including-wordpressorg/#post-3239209)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics