Support » Fixing WordPress » Hacked: I can’t find these Spam links anywhere? Plus more spam advice?

  • OK…I just keep getting pummeled by spam links. Usually in the footer, but this is new. If you view my source code on Just after the opening body tag, you will see a bunch of links to forex stuff. Thing is, I can’t find that anywhere? Any ideas where it’s coming from? I’ve looked at my header file where that would be situated, nothing there. I’ve turned off all plugins and refreshed browser, hidden links are still there. I have all fresh WP files, and the date stamps are all in check (except my wp-config file was hit yesterday, but that’s clean now).

    And on the spam topic, I’ve followed a bunch of the posts on here, I’m running 2.8.4, since it was released. I changed all passwords. No hidden admin users in the sql db. My theme files (at least the ones being written to) are read only, and clean. I’ve done a full fresh WP install, reuploaded all fresh plugins, scanned my sql db for base64 and other things and cleaned them….Am I missing something? I still keep coming back to footer spam every day.

    I think this is the first time I’ve had to come on here and beg for some help, I usually google myself to death to find my answers…..but I’m plain stumped this time…..

Viewing 15 replies - 1 through 15 (of 16 total)
  • OK, I finally found the code that was sticking that spam near my header.

    But with that outta the way, can anyone see anything I missed in cleaning my WP install? This is kinda drivin me nuts

    IMHO, it seems to me as brute force password discovery.

    Make sure that you don’t use “admin” as your username.

    Also, just in case, check this out 20+ Powerful WordPress Security Plugins and Some Tips and Tricks

    If you don’t mind me asking, where did you go to remove the forex links. The exact same thing has happened to a blog of mine. Thanks!

    I don’t use admin, and I’ve changed my passwords…. all using mixed case and numbers combined…..

    @sisconda…..I’m not 100% sure which trick worked. What I’ve done today is scan every php file I have. in my main WP directory was an index.php that had nasty stuff in it.

    BUT….I spent about 8hrs today going through all 4 of my WP installs, along with every website I have (9 I think), every php file on every website had a base64 decode inserted at the top of it.

    I really hope I got it all this time

    to be sure you should export your database and do a search on the .sql file with notepad for “forex”, “eval”, “Base”, etc.

    Ahh thanks, I’ll go take a look through all the files then. I noticed the base64 decode function on the top of a lot of the pages, but I wasn’t sure if it had some built in information that WordPress needed.

    The funny thing is, I wouldn’t even have found any of it but it looks like it has a misplaced semicolon in it which broke some of my js functions.

    Thanks again!

    Same thing just happened to my site. Latest version of wordpress. Don’t use admin. Do I just remove the base64 from the top of my php files? How do I keep it from happening again?

    well…I just finished up. I had forgotten about replacing all the plugins on some of my other wordpress installs. Theres literally a couple thousand php files I had to work on between yesterday and today. I replaced most of them, and some just hand removed the offending base64 junk. I had to guess on a lot of the php files, which I could replace and which I had to edit. I think I got everything right except maybe my zencart shop…..which doesn’t seem to be totally working properly….

    @lukeodom, you can delete the entire base64 funtion….I forget what it looks like but its insid <> brackets. It’s probably a pretty big paragraph, delete the whole thing, just be sure not to get any part of the next function……

    To keep it from happening again, you need to clean everything, change all your passwords, upgrade any WP installs to latest, etc. There are quite a few posts in the forums about dealing with hacked WP installs, thats what I referenced.

    OK, I think I figured out my situation. Since I had been using the latest version of WP I was really stumped. Then I started digging into the forums of the other software I use, and stumbled on a discussion on the forum, which is the forum software I use. Seems a lot of users over there had the base64_decode show up on ALL their php files just like I did. They tracked it down to a user with the name krisbarteo. I checked out my forum, and sure enough, I had that user. So I’m not even sure my problems stem from WP.

    Just to be sure, I followed the advice given for both WP, and SimpleMachines….hopefully both are safe for now….

    Sorry to hear this…

    did you scan your local machine?

    Yup…its actually a really fresh reformat… super clean machine. Scanned again last night. Is clean

    damn, had to unresolve this topic, cuz the footer spam is back.

    None of my other php files are hit this time, just the footer. My host says it is a compromised FTP password. But….I changed that, then cleaned everything, and changed it again. I don’t see how that can be the issue

    I don’t see how that can be the issue

    of course you dont — im not surprised.

    Does your host offer ftp logs? before uploading a bunch of files on your own IP, take a look at the FTP logs.

    RVoodoo, i have the same problem. Could you tell me
    where can i find this spam code in my wordpress files?

    like I said above, all my php files had base_64 inserted into them, also, I found 2 php files that were not part of any software I was using.

    If you find anything in WP php files that uses base64 decode commands, I’d be really suspicious of it.

    If you have stuff like that, you’ll most likely need a full reinstall like I did

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Hacked: I can’t find these Spam links anywhere? Plus more spam advice?’ is closed to new replies.