Wordpress hacked.

One of my wordpress installations have been hacked.

Someone have inserted links into the pages above the header tag. The links do not show in the source code of the pages. The only place I can see them is in google cache and in the source code of the google cache.

I can not figure out where the problem is or how to remove it. The fact that the links only show in google seems to indicate that they are using some type of cloaking but I dont know how it is done. Any advice on where to look to be able to find it?

 

Maybe it's with the hosting which you have? Are you using a free webhost?

 

We just had this discussion. Short answer: Chances are you;re using a theme with encrypting javascript in the footer and the theme developer is putting in their own links that only show when Google accesses the site. Change threads or remove the code from the theme's footer.php file.

Long answer: I'm looking for the thread. Hold on.

 

No. It is on a dedicated server. None of the other wordpress installations on the server are affected. Other scripts or hardcoded pages are not effected.

I can not find anything in the templates files (custom theme), the wp-blog-header.file is clean, the htaccess file is clean.

 

I am using a costum theme developed by myself. No javascrip or other encryptions in the footer.

 

Provide a link please.

Here's the thread: http://forums.digitalpoint.com/showthread.php?t=1546689

 

I have PM:d you the link.

I am aware that WP needs to be updated and plan to do that tonight. Just want to resolve this first.

 

So you;re saying that you wrote this theme 100% from the ground up? Didn't use any other theme as a basis or a starting point?

 

I used the default theme as a starting point.

 

Please take a look at this link. It's currently down so you'll have to drop the url into google and pull up the cache:

http://linux.byexamples.com/archive...it-we-been-hit-by-hidden-spam-link-injection/

Check for those files if you would please.

 

Thanks. That seems like a great link. I will check all those files in a little while. I need to head out for 1 hour or so first.

 

I can't pull up the links though via their curl hack. Oh well. Please see what you can find and get back with us. I'm going home though for the night.

 

I think i found it.

It was a active plugin injection as described on the site that directed to files outside the wordpress folder. Should be solved now. Thanks a million for the link. It really helped.

 

Thanks. The htaccess file was among the first things i checked as well as the WP-blog-header file. But as I said in my last post. I think it is solved now. It was a active plugin injection. Should be gone now.

I also closed the security hole they used to hack the site.