[resolved] Security issue: exploit blackhat seo (type 1703) (7 posts)

  1. robinfaichney
    Posted 3 years ago #

    When I access my site I get a warning from AVG saying it's infected with "exploit blackhat seo (type 1703)". This seems not to be an actual threat to those browsing but puts a bunch of typical spam links into the page code at the end. I've been getting quite a lot of spam through my contact page, it seems the CAPTCHA isn't good enough, could that be connected with this issue? What should I do?

    PS All the plugins are up to date, there's nothing unusual on the site.

  2. WPyogi
    Forum Moderator
    Posted 3 years ago #

  3. robinfaichney
    Posted 3 years ago #

    Thanks very much WPyogi. Files index.php and wp-blog-header.php (at least) had been modified so I changed the admin password and reinstalled WP. I'm now looking at what else I should do.

  4. WPyogi
    Forum Moderator
    Posted 3 years ago #

    You really need to go through all the articles above - just removing the code may not close any "backdoors" and the hack may well be repeated. Unfortunately, there's not a quick-fix for hacked sites.

    This newish article that may also be useful in avoiding future hacking:


  5. robinfaichney
    Posted 3 years ago #

    Thanks again, it tests clean now so I feel I can postpone further actions to tomorrow but I'll do a proper job then.

  6. slickrockweb
    Posted 3 years ago #

    Robin we had some similar strange behavior on a client's site last week and it appears the hackers were somehow able to inject PHP code through a contact form. They had hundreds of strange contact form submissions that on first appearance looked like spam but what you didn't see was the hidden code being injected somehow. This piece of code was added to a bunch of standard WP working files.

    if (isset($_POST['wp-load'])) {

    This code above could be the chicken and the egg problem. Not sure if the code above allows the contact form to be used as an attack vector or the contact form was used first to inject this code. I believe the CAPTCHA was also being completely bypassed.

    We also found backdoor shell scripts in folders downstream of /wp-includes/js/. I would look through all of these folders for any PHP files that are unique and not part of your normal wordpress installation.

    These files below were that were added that look like they should be WP files but were unique files not part of the normal WP installation.


    Good luck.

  7. robinfaichney
    Posted 3 years ago #

    Hi slickrockweb, thanks a lot for taking this trouble. I used FileZilla to do a search on those filenames, which were not found. I'm doing a Sucuri SiteCheck every few hours. I've decided if that finds anything I'll wipe the site clean and start from scratch (following http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/), otherwise I'm keeping my fingers crossed.


Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.