[resolved] Hacked random links to other sites at foot of some of our pages (8 posts)

  1. peteranne
    Posted 3 years ago #

    We just discovered that some of our web pages have links to spurious promotional sites inseted near the "proudly powered by WP" line of our TwentyTen theme. See foot of

    http://www.peteranne.it/ provigil . HYIP monitor
    http://www.peteranne.it/mountain-bike/#/0/0 Explore the collection dual use cases for ipad 3 on Grizzly- Gadgets to find useful cases. . the truth about six pack abs . quotazione oro usato . host gator promo codes 2013

    Not all pages have them, and, on the pages that have them, they are different. We have not clicked on any of them, please don't....

    How can we remove them? And how can we stop them coming back? We are about to upgrade to 3.5.1 which fixes security issues, but we would like to remove these first, eg by removing the code which causes these problems. We are the only user or admin on our site.

    For the moment we stay with TwentyTen since we understand TwentyTwelve doesn't let us have the different banner photos on each pages, but considerations regarding this problem and the two different themes would be welcome if anyone has them.

    thanks Peter & Anne

  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. peteranne
    Posted 3 years ago #

    Thanks, in the mean time we found these and are rather daunted...we hope that someone can point us to how to fix these problems before we upgrade ecc (we have to wait until end Feb to do this)

  4. peteranne
    Posted 3 years ago #

    So far we have updated to 3.5.1 and change admin PW.

    On our site http://www.peteranne.it we have one user, admin, and don't let anyone else register. Navigating the dashboard, I received the message "you are logged on as peteranne, you canĀ“t see the stats". Now, peteranne AT peteranne.it is admin's email, but this is a weird message. peteranne is not listed as a user.

    Could this phoney user be related to the hack? How do we find and remove it, please? I have searched the above documentation for "users", it says I have to check my SQL DB for the rogue user, but there I only find admin....

    We are about to investigate installing TwentyTWelve, though need to check how our banner photos across TwentyTen would work....is it possible that upgrading to TwentyTwelve would remove the hack? I mean, all the theme gets changed, without us having to go looking for some code we have no idea where to find.
    thanks Peter

  5. esmi
    Forum Moderator
    Posted 3 years ago #

    What about all of the other links I posted above? You really do need to work through every one of those first 5 links to completely de-louse your site. Otherwise, the hacker will walk straight back in again.

  6. peteranne
    Posted 3 years ago #

    OK thanks. Just hoped someone else might recognise these rogue URLs, that's all. Anyway, we were away travelling, now back to our own DSL connection, makes it all easier. Thanks Peter

  7. peteranne
    Posted 3 years ago #

    Our ISP moved our site to a new server, meaning we had to fix loads of things but we did find this string

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
    RewriteRule ^(.*) $1? [L]

    at the start of the .htaccess file which didn't used to be there. Could this have caused the errors? We will no longer be saving our FTP coordinates in Cute FTP Lite, this is where the problem may have come from.

    cheers Peter

  8. peteranne
    Posted 3 years ago #

    Our site was moved to a new secure server and we changed WP admin PW, FTP credentials, and WP secret keys. In /peteranne.it/wp-content/themes/twentyten we found a file footer_top.php file with this code

    [Do not post hacked code here, please]

    we deleted it and linkfarm links went away. Hoping that new secure server stops them coming back, if not will reinstall 2010. Ta Peter

Topic Closed

This topic has been closed to new replies.

About this Topic