I’m working on a client’s site and I noticed that posts have a hidden <div>
filled to SPAM links to dick pills, etc. Hoping to get lucky, I searched for some of the keywords in the database tables, but found no matches. I also searched the code in all the files, and also found no matches.
I know that WordPress hacks can be very tricky to remove, and they go to great lengths to make them hard to find. But perhaps there are some “usual suspects” that I could check, or maybe some tell-tale signs I could look for.
I’m not asking for anyone to solve this specific hack. I’m just looking for advice on where (in general) to look.
In case it’s useful, here’s the unauthorized <div>
which is injected right before the close of the first <p>
:
<div id='hideMeya'> At that requires looking for how you http://www.cialis.com <a href="http://wwxcashadvancecom.com/" title="want $745? visit our site.">want $745? visit our site.</a> sign any of money. Visit our secure bad creditors that cialis levitra sales viagra <a href="http://www10525.c3viagra10.com/" title="viagra australia online">viagra australia online</a> payday lenders know otherwise. But the black you stay on discount price levitra <a href="http://www10385.x1cialis10.com/" title="what is impotence in men">what is impotence in men</a> duty to their lives. Citizen at one online or after receiving their research viagra online <a href="http://www10675.80viagra10.com/" title="www.viagra.com">www.viagra.com</a> to just take just wait until monday. This specifically relates to shop every pay stubs get viagra without prescription <a href="http://www10154.40cialis10.com/" title="cialis overnight delivery">cialis overnight delivery</a> and only used or faxing required. We will turn double checked by some small business loans viagra for woman <a href="http://www10077.x1cialis10.com/" title="cialis india">cialis india</a> sites that works the business before approval. Living paycheck went out cash there would generate levitra <a href="http://www10450.a1viagra10.com/" title="viagra cialis levitra">viagra cialis levitra</a> the scheduled maturity day method. Own a short application on when money also buy cialis online <a href="http://buy4kamagra.com/" title="kamagra">kamagra</a> plenty of personal initial limits. Even those loans quick because lenders realize http://cialis-ca-online.com <a href="http://levitra4au.com/" title="levitrafroaustraila">levitrafroaustraila</a> you notice a payday advance. A loan applications are more common thanks http://www.cialis2au.com/ <a href="http://buy-7cialis.com/" title="cialis">cialis</a> to only apply online website. Third borrowers will use your paycheck to levitra online pharmacy <a href="http://www10675.30viagra10.com/" title="viagra online purchase">viagra online purchase</a> utilize these individuals can cover. Often there must also referred to ensure online pharmacy viagra usa <a href="http://www10600.90viagra10.com/" title="viagra effectiveness">viagra effectiveness</a> you with financial expenses. Thanks to checking account also merchant cash loan wwwwviagracom.com <a href="http://www10075.90viagra10.com/" title="levitra viagra cialis">levitra viagra cialis</a> comparison to state or from there. At that they pay them in mere viagra <a href="http://www10225.30viagra10.com/" title="cheapest generic viagra">cheapest generic viagra</a> seconds and to comprehend. If a repossession or limited to see if approved www.cashadvances.com | Apply for a cash advance online! <a href="http://www10385.70cialis10.com/" title="cialis dosage">cialis dosage</a> the risks associated at your current address. Second borrowers should not start and struggle http://www.cashadvance.com <a href="http://levitra-online-ca.com/" title="levitra for sale">levitra for sale</a> at least a button. Thanks to send the benefits of everyday living cheapest viagra order online <a href="http://www10462.70cialis10.com/" title="tadalafil">tadalafil</a> from being foreclosed on its benefits. Finally you get help rebuild the original loan buy cialis viagra <a href="http://viagra5online.com/" title="viagra without prescription">viagra without prescription</a> can really only to surprises. Bank loans out you will take http://wviagracom.com/ <a href="http://www10539.40cialis10.com/" title="erectile dysfunction supplements">erectile dysfunction supplements</a> the conditions are a. Bills might provide an unexpected car cialis uk suppliers <a href="http://kamagra-ca-online.com/" title="kamagra">kamagra</a> broke a repayment length. Third borrowers repay because payday industry has the results http://www.buy9levitra.com/ <a href="http://www10075.20viagra10.com/" title="viagra recreational use">viagra recreational use</a> by the middle man and check process. After verifying your question with dignity and credit cards www.levitra.com <a href="http://www10300.b2viagra10.com/" title="overnight viagra delivery">overnight viagra delivery</a> or drive to secure loan online. Most people for dollars you between bad and free cialis <a href="http://viagra7au.com/" title="http://viagra7au.com/">http://viagra7au.com/</a> instead these applicants is available. Social security against your payday the larger sums buying viagra online <a href="http://payday7online.com/" title="direct lenders installment loans no credit check">direct lenders installment loans no credit check</a> of gossip when working telephone calls. Face it provides hour payday industry levitra online <a href="http://www10150.30viagra10.com/" title="buy viagra now">buy viagra now</a> has high credit score? Within minutes during your best score range from http://cashadvance8online.com <a href="http://www10450.60viagra10.com/" title="viagra dosage instructions">viagra dosage instructions</a> fees if there for them most. To avoid paperwork you in crisis arise from wwwpaydayloancom.com | Online Payday Loans application form! <a href="http://www10225.80viagra10.com/" title="super active viagra">super active viagra</a> online from paying the bank? Funds will know to throwing your cash advance no credit check <a href="http://orderviagrauaonline.com/" title="viagara online">viagara online</a> finances there that purse. Companies realize that asks for which can become cialis online <a href="http://www10375.60viagra10.com/" title="sublingual viagra">sublingual viagra</a> eligible to paycheck some lenders. Medical bills that be much easier than actually need only online cash advance <a href="http://cashadvance8online.com" title="online cash advance">online cash advance</a> your funds via the freedom you out. </div><script type='text/javascript'>if(document.getElementById('hideMeya') != null){document.getElementById('hideMeya').style.visibility = 'hidden';document.getElementById('hideMeya').style.display = 'none';}</script> </p>
I won’t repeat any of the good advice in Squish’s answer. You should also read this article on WordPress security. I’m just going to cover the specifics of what I learned from my episode.
My attack is a kind of black hat SEO known as “hideMeYa”: http://siteolytics.com/black-hat-seo-technique-demystified/
Basically, the attacker slips a bunch of hidden links into the content so humans can’t see them but google can. So they use unsuspecting sites to drum up back links to shady sites.
It’s hard to say for sure how this was done, but in this site there were two known security vulnerabilities:
In my case, the infected file was my theme’s functions.php file. At the very top was this:
Notice how it’s cleverly named to look like typical WordPress stuff.
I’m not going to walk through all the code, but basically it’s a bunch of
base64_encode
ed code as a reversed string. Thestrrev()
makes it hard to find the two biggest red flags here:base64_encode
andeval
. The un-obfuscated code is included below, but here are my biggest takeaways (in addition to what Squish said):eval
andbase64_decode
, but also look for their reversed equivalents:lave
andedoced_46esab
strrev
. There are few legitimate uses of all of these in the WP core which will return false positives, but not so many that you can’t scrutinize each one.Good night and good luck.
The un-obfuscated code turns out to be this:
In general, the best place to look is in your theme folders, specifically the main theme and in the index.php file. Then the footer and header files.
Also, check your modified dates and start with the most recently modified. Especially if there are several that were all modified around the same date/time.
I’ve seen, and had to fix, this problem several times on people’s servers. The false data is normally loaded via a script inserted into the php files of the template.
First, you should definitely read over the WordPress FAQ for dealing with a hacked site.
Common entry points for gaining the “access” required to pull the injection off are outdated themes and/or plugins. It’s best to run production servers with only the one active theme on the server, as well as removing unused plugins and replacing outdated active plugins.
There are a few scripts out there that you can upload to your server to help you find infected files so you can replace, clean or delete them. (Links listed below)
Again, try looking at file modified dates and check out ones you haven’t modified/installed recently yet have a recent date on the.
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/