WordPress.org

Forums

[resolved] Site hacked: Need help finding how link farm added to footer (18 posts)

  1. tshirtfiend
    Member
    Posted 5 years ago #

    My company's blog was hacked, with a link farm added to the footer. This appears to be a hack to the theme files, as it is code that I can see if I edit my footer.php file. Deleting the links just causes them to re-appear in a day or so though.

    I've tried a few things to remove the hack, to no avail. I'm at the point where I believe my only option is to re-install WordPress (keeping the database).

    It just bothers me that I don't know where the link farm code is coming from though. I don't want to miss something, as I've never been able to find the code which generates the links.

    Can anybody suggest somewhere to look that I may not have tried?

    Here's a link to the site, if that helps:
    http://www.alphabetarm.com/thebloggery/

  2. Everything you need to know to recover and reinstall is here: http://wordpress.org/support/topic/307660?replies=1

  3. bottleneck
    Member
    Posted 5 years ago #

    yeah, it looks ugly.

    Check this similar problem, the guy just finished cleaning his blog.

    Hacked: I can't find these Spam links anywhere? Plus more spam advice?

  4. tshirtfiend
    Member
    Posted 5 years ago #

    Ok, thanks. I'm not seeing any of those "base64", "forex" or "eval" bits that people point to as the usual culprit.

    Starting from scratch is a pain, but I can handle it. It's mostly that I just don't know what the source of the problem is. If there's a back door that has been created by the hacker, for instance, I want to make sure it'll be removed when I'm reinstalling.

  5. If you clean your DB and make sure there are no other admin accounts and change all passwords related to the site, you can close many potential backdoors, as shown here.

    Talk to your host, too, esp. if you're on shared hosting. They may have seen/know more and know where the access is coming from.

  6. tshirtfiend
    Member
    Posted 5 years ago #

    So I went through ALL of the steps on the WP Smackdown site, as directed. No luck. Still the same problem.

    Anybody have an idea what I'm missing? My host is blaming WP, so I don't think that there's much that I can do there.

  7. Rev. Voodoo
    Volunteer Moderator
    Posted 5 years ago #

    yeah....I just had footer links show up again. I'm truly stumped. I've done absolutely everything, and still I get the spam links.

  8. tshirtfiend
    Member
    Posted 5 years ago #

    Did you go through the steps as suggested? Or are you just getting started?

  9. Rev. Voodoo
    Volunteer Moderator
    Posted 5 years ago #

    My thread is the one referenced by bottleneck in the 3rd post in this topic.

    I've done some serious cleaning/rebuilding already.

  10. gareth gillman
    Member
    Posted 5 years ago #

    post your footer.php code as it may be grabbing data from somewhere

  11. Rev. Voodoo
    Volunteer Moderator
    Posted 5 years ago #

    My footer is definitely not pulling data from anywhere, I checked the code and once I remove the spam, it's clean. (I wrote the theme...).

    (I can post the code if its necessary....but it's a simple footer)

  12. bottleneck
    Member
    Posted 5 years ago #

    could you rename you footer.php as footer_new_name.php whatever in your theme and make sure the same in general-template.php (wp-includes folder)?

    If that malicious script aims at you footer.php let it shoot in the void.

    Sorry, if that advice is sort of naive, just trying to help...

  13. Rev. Voodoo
    Volunteer Moderator
    Posted 5 years ago #

    well....anytime you change anything in the wp-includes folder, you will lose the change with every upgrade.....

  14. bottleneck
    Member
    Posted 5 years ago #

    i will remind you :))

  15. Rev. Voodoo
    Volunteer Moderator
    Posted 5 years ago #

    that'd be awesome!

    I just really want to know where the links are coming from.... I'm waiting on a reply about logs & stuff from my host...but it's so annoying....

  16. Samuel B
    moderator
    Posted 5 years ago #

    download the database .sql dump
    open it with notepad and search for the links or code used in the footer

  17. Rev. Voodoo
    Volunteer Moderator
    Posted 5 years ago #

    yeah, I did that too

    I actually dumped all my WP installs, along with my SMF site since it had been compromised in the past. I searched them for a variety of things (base64, decode, forex, etc) plus scanned through the rather giant files looking for batches of stuff. I'm really fairly sure I got everything.

    I also scan through everything fairly regularly now, as I reinstalled or edited everything, so I can tell if any timestamps have changed.......

  18. bottleneck
    Member
    Posted 5 years ago #

    you have nothing to lose, don't you?

    I modified my proposal. Leave your footer.php as if but activate footer_new_name.php just as I wrote earlier.

    Even when your footer.php eventually becomes infected again, it won't show in your pages code. But this could give you some useful input.

    Do you follow me so far? ( oops, but enough about Twiiter :)

Topic Closed

This topic has been closed to new replies.

About this Topic