[closed] Online Payday Loans Code Injection hack (14 posts)

  1. marc315
    Posted 2 years ago #

    Came across a little BlackHat SEO injection yesterday , just wanted to share it and see if anyone else has experienced this.

    found the following code in HEAD.php

    <div id='hideMe'> <p><i> Online Payday Loans <a href="http://[ You really don't have to share that link ]">Online Payday Loans</a></div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script><div id="wrapper">

    also found the following user added as an Administrator

    systemwpadmin / systemwpadmin@wordpress.org

    Had the guys at Sucuri clean the site ( awesome service ! ) and it appears that only the HEAD.php file had the injection

    WordPress is up to date
    plugins up to date
    theme up to date
    Hosting is 4G by Godaddy
    No default admin account
    password for admin and DB are 18 character alpha numeric

    thought I had all my bases covered with the above but somehow the code got in

    just curious , any thoughts as to what the attack vector could have been ?

  2. Web Era Productions
    Posted 2 years ago #

    Go(from)Daddy. BlueHost is a much better group of fellows for hosting (and no I don't work there or have anything to do with their company). Just know they are good fellows who understand WordPress hosting well.

  3. marc315
    Posted 2 years ago #

    I noticed a few other folks having the same problem



    seems kinda suspect that the same hacked happened to multiple sites on the same host

    sent in a ticket to their abuse dept to get more info

  4. WPyogi
    Forum Moderator
    Posted 2 years ago #

  5. marc315
    Posted 2 years ago #


    Thanks for the links, everything was cleaned by the good folks at Sucuri. I currently have the site being monitored by their WordPress plugin that provides a very useful audit log. Hope this gets fixed sooner than later

  6. WPyogi
    Forum Moderator
    Posted 2 years ago #

    Ah good, sorry, I should have read your OP more closely. Presumably GoDaddy is on top of this - it seems like it was only on their servers -- at least from what we've seen around here.

  7. dvwp
    Posted 2 years ago #

    not sure if it's proper forum etiquette to post malicious code examples in the forum. if so, moderators please delete. but i thought it might be helpful for others who are having trouble to search for this code which was injected into my theme's functions.php. it was added right at the beginning and was easy to find. of course, oursite has nothing to do with quick loans. getting rid of this allowed us to get back up while we did a clean rebuild. hope this helps.

    <?php function callbackx([code moderated] buffer_endx'); ?>

  8. It's not a good idea to post the source of hacking code. And post a new topic, as your hacking incident is completely different than the original threads'.

  9. dvwp
    Posted 2 years ago #

    i completely understand the moderation.

  10. rlindabury
    Posted 2 years ago #

    I've got to say that dvwp's post is what saved me! I had the Payday Loans hack inserted into my WordPress install on Godaddy hosting. This is a client's site. Godaddy is NOT my choice. They had it prior to contracting me.

    I found the same code at the very top of my theme's functions.php file. Deleting it completely removed the Payday Loans code insertion into my pages.

    In addition to that code I found two .php files in my theme's cache directory. They were binary. I removed those as well.

    It was easy to find the offending cache files as they showed up at the top of the templates list in Appearance > Editor.

    I hope this helps some of you trying to fix this issue.

    -- Bob

  11. freedweb
    Posted 2 years ago #

    I found a file called wp-logout.php that had Eval64 code in it. I double checked a new download of WordPress and there is no such file in there. I deleted the file reuploaded fresh scripts including all plugins. So far it seemed to help. I scanned all other instances of Worpress I have and have only found on instance to be infected. I hope!

  12. WPyogi
    Forum Moderator
    Posted 2 years ago #

    @freedweb - you really need to go through all of the above listed resources - otherwise the hack will likely be repeated.

  13. pramathesh_a
    Posted 2 years ago #

    I a building a wordpress site which is currently on localhost and I have recently encountered the same problem. A link to paydayloans appearing in the bottom left of some of the pages.

    I understand I should clean up but would b grateful for tips on how to trace where the code is and what the code is which is producing the problem. I have searched through my .php files and my theme related files as well (I am using weaver II pro) but have not been able to get there.

    What I remember is that I did two things on the night this happened - updated one plugin and installed another.

    WordPress is up to date.

    Thanks in advance for help.


  14. Andrew
    Nuh uh moderator
    Posted 2 years ago #

    All we can do is suggest you read the resources posted on this thread.

Topic Closed

This topic has been closed to new replies.

About this Topic