Support » Fixing WordPress » Hacked: Can't find source of injection

  • I was contacted to rescue an old WP site of mine that I haven’t worked on in a few months. It started showing in Google with words like “Cialis” and “Viagra” in the search engine results. Investigation showed Google reported it as appearing to be cloaked as of May 17th.

    I’ve changes all passwords and security keys, but cannot find the source of the injected code. When I run Google’s “Fetch as Google” tool, I see this in the header:

    HTTP/1.1 200 OK
    Date: Tue, 22 May 2012 02:16:21 GMT
    Server: Apache
    Cache-Control: no-cache, no-store, must-revalidate
    Keep-Alive: timeout=2, max=10
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html
    <!DOCTYPE html>
    <html dir="ltr" lang="en-US">
    .c2fvhhr33	{
    	visibility: hidden;
    <meta charset="UTF-8" />

    Where the STYLE has been injected. There is then code injected into some rollover JavaScript in the template:

    <script type="text/javascript">
    function MM_swapImgRestore() { //v3.0
      var i,x,a=document.MM_sr; for(i=0;a&&i&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a class='c2fvhhr33' href="">rockbottom viagra prices</a><a class='c2fvhhr33' href="">cialis daily dose strength</a> ...

    etc. where the links are actual links within my site (edited for client privacy).

    I disabled all plugins and re-ran the “Fetch as Google” tool and the code was still injected. I changed themes and re-ran the “Fetch as Google” tool and the code was still there. I’ve searched the entire WP database for “%visibility: hidden;%” as well as “%<noscript%” and others I found via various blogs as potential sources of injection.

    I’ve searched the wp_options table and see no odd entries; I’ve searched all of the plugin folders and see nothing odd there, either.

    Starting from scratch with a clean WP install and all new plugins and themes is not a viable option right now due to the complexity of the site.

    Other ideas?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    Starting from scratch with a clean WP install


    and all new plugins and themes is not a viable option right now due to the complexity of the site

    Not so good. Until you completely delouse your WordPress installation, everyone one of those plugins and themes are suspect and may have exploit code in them.

    Getting fresh copies from the source really is the way to go. If you can’t do that, for whatever reason, then you risk being continuously compromised.

    Here is the standard response for hacked sites.

    You need to start working your way through these resources:

    Additional Resources:
    Hardening WordPress

    The theme and one plugin – the main plugin that runs the site – are custom and there is no “source” to reinstall them from. 🙁

    Looks like I’ve already been to almost all of the posts you’ve referenced, but I will check the ones I have not yet been to…

    Perhaps you may ask help from the tech person in your hosting provider and they might find the source of injection.

    I am already working with my web host, who is as stumped as I am at the moment… but they are looking!

    Was just hoping someone here might have more insight than I’m able to manage on my own at the moment. 🙂

    I’ve gone through all of the links above and have done all except replace WP install and plugins. And while that would “fix” it, it still wouldn’t tell me what happened, so I’m going to plug away at it a while longer to try to find that actual source/cause.

    Want to find the source?
    Best way is checking files by modification time ….combined with server logs analysis.

    Often, each case requires individual attention, so there is no single recipe.

    Hi sommernyte,

    You can also do the following:

    1. Download all the WordPress files from your website to a local location.
    2. Download the latest WordPress files.
    3. Compare both (you will see differences in plugins and themes) but you should not notice changes in the WordPress code.

    Like this you can find out what is the injection etc, and hopefully once you know what is the injection, you can find out more about it (on google or so) how it is typically injected.

    To compare directories and files you can use a free open source tool such as WinMerge.

    Have you tried the Exploit Scanner plugin and the scanner?

    Here is an article with more info on Exploit Scanner:

    I had looked at the modification times, but the tricky part is I no longer work for the company whose website this is, so I had no idea who’d updated what and when since I’d left. I was just called back to rescue the site.

    This was the message from my web host, who ultimately found the affected files:

    At least the following files are


    Those files are relatively new (created within the last two months). So we compared the modification times on those two files to see exactly what else was happening on the site when they were created, and we found that at the moment that happened, a Russian IP address was issuing POST commands to this URL:


    So that was also an infected file. However, that file has since been deleted. So it may have been the original source of the infection, or it may not; it’s impossible to tell without seeing it, which we can’t do.

    The original source of this was most likely that one of your plugins was compromised when you originally downloaded it (these are all too common), but that original infection may have been overwritten by an upgrade to that plugin… which doesn’t help once it’s spread.

    I’ve since replaced all WP files with a clean download as well as all plugins.

    LOVE my web host… I was determined to find out WHERE the infected files were and they did it. 🙂

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Hacked: Can't find source of injection’ is closed to new replies.