1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Wordpress Headers and Footers Continually Hacked

Discussion in 'WordPress' started by sport302, Mar 17, 2011.

  1. #1
    So for the past couple months I have had an issue with one blatant hack on about 3 WordPress sites I own. Each time the header and footer php files are filled with hundreds of links from one place called Websoft.

    I have known about the WordPress header and footer security issues for awhile, but I am starting to become completely fed up with trying to patch every stupid thing with different fixes.

    =====================================================

    Listed below is the junk being added to my header and footer php files:

    <!--google--><? $usr_agentbnm = @$_SERVER[HTTP_USER_AGENT]; if(preg_match('~google.*?bot|google|mediapartners~i',$usr_agentbnm)){?><h2>adobe photoshop cs2 download</h2> <a href="http://www.websoft.ws/software/Buy-Cheap-Adobe-CS5-Design-Premium-Student-&-Teacher-Edition.html">adobe creative suite cheap</a> <b>adobe acrobat reader for windows 98 free download</b> <i>adobe streamline 4 download</i> for students <strong>adobe illustrator cs3 keygen download</strong> <strike>download adobe flash player pictures</strike> <h1>adobe creative suite 3 download</h1> <a href="http://www.websoft.ws/software/Buy-Cheap-Adobe-Fireworks-CS5-Student-&-Teacher-Edition.html">adobe fireworks buy cheap</a> adobe after effects cs2 download <i>adobe pagemaker 7 download</i> for students free download for adobe photoshop macosx <b>download adobe reader for macintosh</b> <h3>free download adobe 6</h3> <a href="http://www.websoft.ws/software/Buy-Cheap-Adobe-Creative-Suite-5-Master-Collection-for-Mac.html">cs5 buy cheap</a> <u>adobe 8 free download</u> <b>adobe download free reader</b> cheap <i>adobe distiller download</i> <strike>free adobe photoshop full version download</strike> <h2>download adobe acrobat professional english</h2> <a href="http://www.websoft.ws/software/Buy-Cheap-Adobe-CS5-Web-Premium-Student-&-Teacher-Edition.html">cs5 web premium buy cheap</a> <b>safe free adobe flash 9 download</b> adobe illustrator svg filter download for students <strong>acrobat adobe latest version download</strong> <strike>adobe flash download settings view apple</strike> <h2>adobe flash 8 download</h2> <a href="http://www.websoft.ws/software/Buy-Cheap-Adobe-Indesign-CS5-Student-&-Teacher-Edition.html">for students adobe indesign</a> <u>adobe audition download free</u> <b>adobe version 5 download</b> buy cheap <i>adobe dream weaver 8 download</i> <b>download free full adobe reader 6 0</b> <h1>adobe premiere download</h1> <a href="http://www.websoft.ws/software/Buy-Cheap-Adobe-Illustrator-CS5-Student-&-Teacher-Edition.html">adobe illustrator CS5 cheap</a> <u>adobe indesign download</u> <i>adobe photoshop cs 3 download</i> for students <strong>download adobe free software</strong> <b>adobe streamline for mac download</b> <h2>adobe illustrator cs3 crack download</h2> <a href="http://www.websoft.ws/software/Buy-Cheap-Adobe-Flash-Professional-CS5-Student-&-Teacher-Edition.html">adobe flash cheap</a> <u>adobe flash download mirror free</u> adobe reader download buy cheap free adobe download <i>download adobe cs2</i> <h2>free download of adobe photoshop cs3</h2> <a href="http://www.websoft.ws/software/Buy-Cheap-Adobe-Premiere-Pro-CS5-Student-&-Teacher-Edition.html">premiere pro cs5 cheap</a> <u>adobe creative suit 3 free download</u> <b>adobe reader download full</b> for students adobe flash player 9 zip download <strike>software adobe 4x download</strike> <h2>adobe flash player 9 cannot download to internet explorer 7</h2> <a href="http://www.websoft.ws/">adobe software for students</a> adobe indesign download <i>download adobe reader8</i> for students <strong>free download for adobe streamline</strong> <i>download adobe reader to ppc main memory</i> <h3>download adobe acrobat 6 pro</h3> <a href="http://www.websoft.ws/software/Buy-Cheap-Adobe-Photoshop-Elements-9.html">photoshop elements for students</a> download full version of adobe audition 3 for free free download adobe rea cheap adobe flas download <strike>download adobe reader version 5</strike> <?}?><!--/google-->

    =====================================================

    WTF!

    I am seriously getting so irritated by this crap! It used to be like once or twice a year, but now it is like once or twice a week.

    I have already removed all the references to WordPress from the header and footer php files; which was suppose to help, but in reality it has not done a thing to stop this garbage.

    Any other ideas would be greatly appreciated.
     
    sport302, Mar 17, 2011 IP
  2. mccomf

    mccomf Active Member

    Messages:
    517
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    53
    #2
    mccomf, Mar 17, 2011 IP
  3. nirmala.prc

    nirmala.prc Active Member

    Messages:
    329
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    55
    #3
    Are you using any free theme in your site?
     
    nirmala.prc, Mar 17, 2011 IP
  4. dscurlock

    dscurlock Prominent Member

    Messages:
    4,564
    Likes Received:
    260
    Best Answers:
    0
    Trophy Points:
    300
    #4
    I think one of your outdated mods or themes have been breeched.
     
    dscurlock, Mar 17, 2011 IP
  5. Yuuko008

    Yuuko008 Member

    Messages:
    682
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    33
    #5
    First check for encoded files on your theme (If it's a free theme) or mod (if it's not from wordpress.org). Also make sure that wp_head() and wp_footer() are intact on the theme. Try to update also your wordpress and all the plugins to it's latest version.
     
    Yuuko008, Mar 17, 2011 IP
  6. hmansfield

    hmansfield Guest

    Messages:
    7,904
    Likes Received:
    298
    Best Answers:
    0
    Trophy Points:
    280
    #6
    Sounds like you are using a free theme that you got somewhere or downloaded a premium theme from some file sharing site.
    You aren't being hacked, the theme purposely has code in them that displays links on your website.
    The spots are being sold by the person that offered the download. That's why it was free...to entice people to put it up on their site.

    My advice, don't use free themes outside of the Official Wordpress repository. If you don't like what's there, then spend some money on your website and buy a premium theme.
     
    hmansfield, Mar 18, 2011 IP
  7. sport302

    sport302 Well-Known Member

    Messages:
    351
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    103
    #7
    I do not think it is a theme issue, because one of the themes that this is occurring on is a paid theme from a legitimate operator.

    I actually went and updated all my WordPress sites to 3.1, and for a week it seemed like that fixed the issue. Then bam it happened again today.

    The only difference this time was all links changed from websoft.ws to dailymotion.com? It was odd because all the adobe references stayed the same, but all the links changed?

    Any ideas of what to do now? Do you think going through and updating every single plugin would maybe fix the issue, or do you think it is something on my server/web host side I need to look at? I am currently using Bluehost.

    Thanks...
     
    sport302, Mar 22, 2011 IP
  8. hmansfield

    hmansfield Guest

    Messages:
    7,904
    Likes Received:
    298
    Best Answers:
    0
    Trophy Points:
    280
    #8
    There is really no way for me to zero in on it without knowing and seeing every plug in and file that you have installed.
    The fact that the links keep changing tells me that you have a script installed somewhere that is being controlled by a 3rd party.
    You may have a legitimate theme, but did you get it from the source? The actual person that designed it? Or did you buy if from a theme shop?

    Maybe it's not the theme. Maybe it is. Maybe it's a plug in. But somewhere it's probably something that you installed without knowing that it included a script.

    At this point I would talk to blue host and let them scar your installation and see if they can pin point it for you.
     
    hmansfield, Mar 22, 2011 IP
  9. LeoSeo

    LeoSeo Well-Known Member

    Messages:
    1,647
    Likes Received:
    56
    Best Answers:
    0
    Trophy Points:
    125
    #9
    It's pretty strange the same thing happened to me(3.1-spammy links injection) and I'm using bluehost too. Perhaps it's about their simplescripts thingie?
     
    LeoSeo, Mar 22, 2011 IP
  10. sirjonathan

    sirjonathan Peon

    Messages:
    11
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Try installing WordPress File Monitor. Its a forensics tool and will help you pinpoint the next time your header or footer is changed. While it doesn't _always_ give the exact details, it will often show you the file that is doing the changing, which is typically a trojan hiding out in a compromised plugin or theme.
     
    sirjonathan, Mar 24, 2011 IP