WordPress.org

Forums

[resolved] Unwanted text links on the site... (34 posts)

  1. AngieL
    Member
    Posted 2 years ago #

    Hi! Today I saw weird text links all over my blog that seem to be some kind of spam virus/malware. I installed Wordfence and scanned the system. It found some files that had been changed but it was 1-2 months ago, at the same time as I changed my design and the changes were some translation changes etc - nothing harmful). Wordfence found nothing else and claims my site is clean.

    I have tried this on Chrome and IE and on different computers and it all looks the same. When I view source through Chrome I can find the code that has been put there but I have no clue how to remove it and how to make sure it doesn't show up again...

    Can anyone help? :S

  2. WPyogi
    Forum Moderator
    Posted 2 years ago #

    Can you post a link to your site? That kind of thing can be caused by a number of things - a plugin might be doing it, hacking (even if it's supposedly clean that can be wrong), browser addons, your computer might have malware or maybe something else.

  3. AngieL
    Member
    Posted 2 years ago #

    Hi, sure, the page is in Swedish but here it is :) (you can see it on the left side of content as "download master crack", "online books", "get more information" in a bold text link.)

  4. WPyogi
    Forum Moderator
    Posted 2 years ago #

    Try deactivating all your plugins to see if that changes anything. Do you have any kind of "download" plugin or service?

  5. AngieL
    Member
    Posted 2 years ago #

    I deactived all plugins but it's still there (I have activated them all again). I am not sure what you mean by download plugin or service...? :S

  6. AngieL
    Member
    Posted 2 years ago #

    I have also found this by entering view source in Chrome:

    <!--maincontentstarts-->
    <div><a href="http://akmovie.org" onclick="javascript:_gaq.push(['_trackEvent','outbound-article','http://akmovie.org']);" target="_blank" title="akmovie.org" style="position:absolute; left:-5873px;">akmovie.org</a> <a href="http://candownload.org" onclick="javascript:_gaq.push(['_trackEvent','outbound-article','http://candownload.org']);" target="_blank" title="here" style="position:absolute; left:-5690px;">here</a> <a href="http://copymovie.org/" onclick="javascript:_gaq.push(['_trackEvent','outbound-article','http://copymovie.org/']);" target="_blank" title="More Bonuses" style="position:absolute; left:-3950px;">More Bonuses</a> </div>
    <p><!--maincontentends--></p>
  7. WPyogi
    Forum Moderator
    Posted 2 years ago #

  8. WPyogi
    Forum Moderator
    Posted 2 years ago #

    Per your last post (we cross posted) - yes, that's what I was referring to...no good :( .

  9. AngieL
    Member
    Posted 2 years ago #

    Hi again, I have now looked through the links you sent and have backed up my site, re-installed wordpress through a zip file, changed passwords to everything and still, the text links are there. My server provider says that the malicious code is in wp-includes/class-template.php (below) but now that I reinstalled WP, that file is gone and the text links are still there..

    Don't really know what to do from here and it's really frustrating :( Any other ideas?

    [ Very bad malware code removed ]

  10. I'm sorry but that code shows that your installation is hacked and needs to be deloused. Please give those articles that WPyogi posted a good read. They can help you get a handle on your situation.

  11. AngieL
    Member
    Posted 2 years ago #

    The code that I wrote above is now gone, though, and it still shows the text links :(

  12. The code that I wrote above is now gone, though, and it still shows the text links :(

    Unfortunately that makes sense. The code you posted here was designed to modify all of your files in wp-includes.

    You really need to delouse your installation. There really is no shortcut for that... :(

  13. AngieL
    Member
    Posted 2 years ago #

    Okay, I see! I'm not sure what delouse means though (hope u bare with me I'm just a hobby blogger with not much knowledge of these things and expressions =/) ? Do you mean exporting all my files, removing all WP files and then reinstall everything?
    Are there any tutorials for that what you mean I should do?

    Thanks for all your help you guys, it's really appreciated!

  14. esmi
    Forum Moderator
    Posted 2 years ago #

    See the links that WPyogi posted above.

  15. AngieL
    Member
    Posted 2 years ago #

    esmi: I did, I followed this one: http://codex.wordpress.org/FAQ_My_site_was_hacked and removed all the files from the director (wp-include and wp-admin + restoring some files in wp-content) and then installed a fresh copy of WP but still no change.

  16. esmi
    Forum Moderator
    Posted 2 years ago #

    You need to follow the rest of the posted links.

  17. AngieL
    Member
    Posted 2 years ago #

    Okay, so now I have really looked through anything I can find on this matter and my server provider told me that I could export all my posts etc. and then just completely remove EVERYTHING (which is also a tip on the links above - again, I must emphasize that I have gone through them all). So I downloaded an .xml file of my website and I started looking through it and saw that somehow the codes are ALL OVER the .xml file too, so it seems they are in my posts as well not the bad malware code, but this one:

    <!--maincontentstarts-->
    <div><a href="http://akmovie.org" onclick="javascript:_gaq.push(['_trackEvent','outbound-article','http://akmovie.org']);" target="_blank" title="akmovie.org" style="position:absolute; left:-5873px;">akmovie.org</a> <a href="http://candownload.org" onclick="javascript:_gaq.push(['_trackEvent','outbound-article','http://candownload.org']);" target="_blank" title="here" style="position:absolute; left:-5690px;">here</a> <a href="http://copymovie.org/" onclick="javascript:_gaq.push(['_trackEvent','outbound-article','http://copymovie.org/']);" target="_blank" title="More Bonuses" style="position:absolute; left:-3950px;">More Bonuses</a> </div>
    <p><!--maincontentends--></p>

    SO I am thinking that even if I delete the whole thing, importing my .xml file with my posts etc. back on would still make the bad links appear, right?

    I have A LOT of posts (been blogging since 2005) so going through them all would be very time consuming. Would it help if I removed the bad code from the .xml file?

    I am very frustrated with all of this and it really seems my only option at this point is to lose all my old posts and start from scratch but I really don't want to do that as I have a lot of memories on my blog. Please help :(

  18. Andrew
    Nuh uh moderator
    Posted 2 years ago #

    Deleting code is only curing the symptom of the hack.

  19. AngieL
    Member
    Posted 2 years ago #

    I know, but I really don't know what else to do if I don't want to lose my posts? The malware code is now gone and I want to delete the WHOLE WP-directory but I'm afraid it will keep coming back if the links are imported again through my .xml ....?

    So that is really what I am wondering, because if I delete the whole WP directory than all my posts etc will be gone, right?

    (please let me know if I am being unclear)

  20. esmi
    Forum Moderator
    Posted 2 years ago #

    See the links that WPyogi posted above.

  21. AngieL
    Member
    Posted 2 years ago #

    esmi: Like I wrote in the post I have read all the links posted here, but it doesn't say anything about the .xml files being infected as well and whether that will affect the new version.

  22. esmi
    Forum Moderator
    Posted 2 years ago #

    If the .xml file was created after the hack took place, it should not be used.

  23. AngieL
    Member
    Posted 2 years ago #

    esmi: yes, it was created after the hack took place.
    Does deleting the wp-admin, wp-content and wp-include remove my posts? I can't figure that out based on the links above...:/

  24. esmi
    Forum Moderator
    Posted 2 years ago #

    No but it will remove any uploaded media including images.

  25. AngieL
    Member
    Posted 2 years ago #

    Okay, thanks alot! So I completely removed the whole WP directory and SUCCESS..no more links...which made me really happy. I then reinstalled the theme that I had used (Weaver II) and the links were back...weird enough the theme that I installed still used the same settings, banner etc. I had removed the weaver_II theme folder from the wp directory so I don't know why it still remembers my settings and stuff?

    (Don't know if this is wordpress related or if i should ask at the weaver II forum?)

  26. esmi
    Forum Moderator
    Posted 2 years ago #

    I then reinstalled the theme that I had used

    Where did you get a copy of the theme from?

  27. AngieL
    Member
    Posted 2 years ago #

    I searched for it on Themes in my admin area.

  28. esmi
    Forum Moderator
    Posted 2 years ago #

    Try deleting the theme and reverting back to 2012.

  29. AngieL
    Member
    Posted 2 years ago #

    I have deleted it but am not sure hos to revert back?

  30. esmi
    Forum Moderator
    Posted 2 years ago #

    I can't see any links atm on the site using the 2012 theme. Would you agree?

Topic Closed

This topic has been closed to new replies.

About this Topic