ross88guy, I checked your site just now and still see the link.
My site has the same issue, the link right next to the comments link at the top of the post. Updated wordpress versions to no success. In the past I’ve been able to sniff out the bad injected code and remove but I can’t seem to find it. Any help would be appreciated! My site is http://www.rootsinalpharetta.com
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Removing the infected code will only remove the symptom of the hack. Try going through those resources WPyogi posted.
My site http://offtherecordsports.com/ just got it too. However, it’s only on the articles on a mobile device. Odd. These flipping a-holes. If anyone figures this out please post here!
Interestingly, all the above three infected sites are hosted on GoDaddy. Is it a coincidence?
Having the same issue that started today.
We’re also hosted by GoDaddy.
I’m not sure why it’s only showing up on mobile devices, and I can’t find the link within any of the files to get rid of it (?)
I found a reversed encoded function in my functions.php file. It was similar to what I found in this article:
http://www.tbogard.com/2013/05/03/tutorial-dealing-with-payday-loans-attack-in-wordpress/
I removed that and the problem is gone. And yes, I fixed the symptom but probably not the root cause. Thought I would share anyway.
I just encountered this problem, also with a client hosted on GoDaddy. Running all current WordPress and plugins up to date. The symptom is indeed code in the functions.php. It hides itself from logged in users.
Whenever I try to delete any piece of it, it keeps saying:
Parse error: syntax error, unexpected ‘}’ in /home/content/24/8599724/html/wp-content/themes/subzero/functions.php on line 20
??
Yup, the malicious code was in my Functions.php file but it was hidden in lots of what looked like gobbledygook to me and not plain html or php.
Not wanting to mess around with the editor I simply reinstalled the latest version of my theme template which seemed to fix the problem…for now. Can someone check my site to make sure there are no malicious links at the top of the articles any more:
http://www.runtheline.com
Other steps that I have taken are changing my passwords, deleting unused user accounts, deleting all non essential plugins and making sure that everything is the latest version.
I have been reading that a hacker might leave some back doors. Any idea how I can check for back doors?
I have been reading that a hacker might leave some back doors. Any idea how I can check for back doors?
Absolutely true – that’s why you need to go through all the articles I posted above – they explain how to address that issue. This fairly recent article may be helpful as well:
http://codex.wordpress.org/Brute_Force_Attacks
