Theme files hacked – link added after body tag

Emily
(@ebloss)

11 years, 2 months ago
Hello,

I wanted to share a problem I had recently. One of my clients, hosted on GoDaddy, had all of her themes hacked. Since the date and time stamps on the theme files had not changed, I can only assume the server got hacked.

The problem was a link to a payday loans site was being inserted underneath the body tag.

I found three extra things in functions.php named b_call, b_start, and b_end. I removed that whole extra section. The beginning and end are shown here (without the actual hack code inside):
```
if (!function_exists("b_call")) {
... (hack code removed)
add_action("wp_head", "b_start");
add_action("wp_footer", "b_end");
}
```
There was also a record in the wp_options table, with the option name _metaproperty. I deleted that record.

That seems to have fixed it. I changed all of the passwords and installed some security plugins so maybe we’ll get notified the next time GoDaddy and our account gets hacked.

Viewing 6 replies - 1 through 6 (of 6 total)

WPyogi
(@wpyogi)

11 years, 2 months ago

Yep, this was reported in many threads here — and yes, evidently server(s) got hacked at GD.

getlocal
(@getlocal)

11 years, 2 months ago

I need help big time guys!! Im so stressed.

Here is the problem, I noticed today my website dropped big time in rankings. The only thing I found was weird payday loan spam texts at the top of my website. The only way to see this text is if you see a cached snap shot of what Google has indexed. Here is link http://webcache.googleusercontent.com/search?q=cache:VGHBdDt3R-AJ:fiestapartyjumpers.com/+fiestaparty+jumpres&hl=en&tbo=d&gl=us&strip=1

Go daddy said my site is fine. Is this a wordpress fix, or a database fix or what. I’m reading a lot of articles but can’t find much info on my issue.

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

11 years, 2 months ago

@getlocal Rather than interupting and trying to take over ebloss’s topic (which is considered rude), please start your own topic yourself.

http://wordpress.org/support/forum/how-to-and-troubleshooting#postform

Thread Starter Emily
(@ebloss)

11 years, 2 months ago

Actually, it looks like getlocal is having the same problem. If you look at the source code of the site, it does have those links just after the body tag. getlocal, you need to remove the stuff mentioned in the first post in this thread. Remove the extra functions from the functions.php file found in your theme folder.

getlocal
(@getlocal)

11 years, 2 months ago

thank you, by the way i tried to start my on post and i think it got removed for some reason. will let you know what i find. If i can’t do this on my own are you willing to accept a payment on paypal to help me

Michael
(@alchymyth)

11 years, 2 months ago

@getlocal

I found your topic in the spam queue – it is now open http://wordpress.org/support/topic/my-wordpress-site-hacked-with-hidden-payday-loan-code?replies=1&view=all

please add any new information there.

unfortunately, I have to close this topic because of http://codex.wordpress.org/Forum_Welcome#Offering_to_Pay