1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site Got Hacked. Movie links on EVERY post

Discussion in 'Black Hat SEO' started by trevorhoang, Aug 31, 2011.

  1. trevorhoang

    trevorhoang Power Member

    Joined:
    Mar 28, 2011
    Messages:
    712
    Likes Received:
    114
    Occupation:
    manager
    Location:
    canada
    Hello BHW.

    i maintain a website that i make 2 or 3 posts every day.My site has over 200 post and counting. my site got hacked and every single post has a code at the end.

    <!-- rk_czxV1dv1UTfErdQy26 --><div style="position:absolute;top:-234423px;left:-564656756756px;"><li><a href="http://www.stepfront.com/Starz-Inside-Fantastic-Flesh">Watch Starz Inside Fantastic Flesh the movie</a>
    </li><li><a href="http://www.stepfront.com/The-Little-Mermaid">The Little Mermaid movie on dvd</a>
    </li><li><a href="http://www.stepfront.com/Morning-of-the-Earth">Morning of the Earth movie online</a>
    </li><li><a href="http://www.stepfront.com/The-Road">The Road movie online</a>
    </li><li><a href="http://www.stepfront.com/Saludos-Amigos">Saludos Amigos movie review</a>
    </li><li><a href="http://www.stepfront.com/Boiler-Room">Boiler Room movie dvd</a>
    </li><li><a href="http://www.stepfront.com/Sherlock-Holmes-and-the-Hound-of-the-Baskervilles-1968">Watch Sherlock Holmes and the Hound of the Baskervilles 1968 movie online</a>
    </li><li><a href="http://www.stepfront.com/The-Whoopee-Boys">Watch The Whoopee Boys the movie</a>
    </li><li><a href="http://www.stepfront.com/Made-in-Britain">Made in Britain the movie</a>
    </li><li><a href="http://www.stepfront.com/Elimination">Elimination movie download</a>
    </li></div><!-- /rk_czxV1dv1UTfErdQy26 -->



    the first time i entered every single post and manually deleted all of these codes. but unfortunately that was not the end of it.

    Yes it happened again which ruined my day. so i manually deleted everything again and changed all my passwords and uninstall a couple plugins that i think is causing the problem. my current plugins are:
    askimet, and the winner is, blletproof security, easy privacy policy, exploit scaner, EZPZ one click backup, fast secure contact form, google XML sitemap, limit login attempts, platinum SEO pack, pretty link lite, secure wordpress, SEO pressor, tabbed widgets, Ultimate google analytics, wp security scan, wp super cashe.



    so....today it happened again. i am sooo frustrated. any advice is greatly apprecriated. thanks
     
  2. hotantivirus

    hotantivirus Registered Member

    Joined:
    Jan 10, 2010
    Messages:
    76
    Likes Received:
    9
    Try looking at your ftp files there might be a suspicious file, Delete everything and Do a Clean install of wordpress.
     
  3. jerzydawg

    jerzydawg Supreme Member

    Joined:
    Dec 24, 2010
    Messages:
    1,260
    Likes Received:
    422
    Did you run Exploit Scanner? If so, what are the results?
     
  4. moneymachine01

    moneymachine01 Regular Member

    Joined:
    Sep 2, 2009
    Messages:
    339
    Likes Received:
    75
    Maybe you can contact his host and complain. May not help you fix your site but may screw him over.

    Current Registrar: SPOT DOMAIN LLC DBA DOMAINSITE.COM
    IP Address: 66.225.241.112 (ARIN & RIPE IP search)
    Record Type: Domain Name
    Server Type: Apache 1
    Lock Status: clientDeleteProhibited
    WebSite Status: Active



    Domain Name: stepfront.com
    Registrar: Spot Domain LLC

    Expiration Date: 2012-03-23 11:02:10
    Creation Date: 2007-03-23 05:02:10

    Name Servers:
    ns1.binaryvibes.net
    ns2.binaryvibes.net

    REGISTRANT CONTACT INFO
    Binary Vibes (Pvt) Ltd
    Farooq Kamal CTO (Chief Technology Officer)
    10-H, Block A
    SMCHS
    Karachi
    Sindh
    74400
    PK
    Phone: +92.922145544023
    Fax: +1.92214559693
    Email Address: farooq@binaryvibes.com

    ADMINISTRATIVE CONTACT INFO
    Binary Vibes (Pvt) Ltd
    Farooq Kamal CTO (Chief Technology Officer)
    10-H, Block A
    SMCHS
    Karachi
    Sindh
    74400
    PK
    Phone: +92.922145544023
    Fax: +1.92214559693
    Email Address: farooq@binaryvibes.com

    TECHNICAL CONTACT INFO
    Binary Vibes (Pvt) Ltd
    Farooq Kamal CTO (Chief Technology Officer)
    10-H, Block A
    SMCHS
    Karachi
    Sindh
    74400
    PK
    Phone: +92.922145544023
    Fax: +1.92214559693
    Email Address: farooq@binaryvibes.com

    BILLING CONTACT INFO
    Binary Vibes (Pvt) Ltd
    Farooq Kamal CTO (Chief Technology Officer)
    10-H, Block A
    SMCHS
    Karachi
    Sindh
    74400
    PK
    Phone: +92.922145544023
    Fax: +1.92214559693
    Email Address: farooq@binaryvibes.com
     
  5. OrderZero

    OrderZero Newbie

    Joined:
    May 4, 2011
    Messages:
    7
    Likes Received:
    2
    Make sure your theme doesn't include timthumb.php explanation:
    Code:
    exploit-db.cm/wordpress-timthumb-exploitation
     
  6. blackhatcodex

    blackhatcodex BANNED BANNED

    Joined:
    Aug 28, 2011
    Messages:
    144
    Likes Received:
    248
    this might help:


    Plugin Code:
    PHP:
    <?php
    /*
    Plugin Name: WP Security - (or whatever you name it)
    Plugin URI: ****
    Author: ****
    Author URI: ****
    Version: 1.0
    Description: The plugin assists in avoiding bots from posting comments directly onto your WP site.
    Licence: GPLv2
    */

    add_action'comment_form_after_fields''ccb_comment_fields' );
    function 
    ccb_comment_fields() {
        global 
    $post;

        
    wp_nonce_fieldget_ccb_nonce_secret() . $post->ID'_nonce'truetrue );
    }

    add_action'pre_comment_on_post''ccb_pre_comment_check' );
    function 
    ccb_pre_comment_check$id ) {
        if ( 
    is_user_logged_in() )
            return 
    $id;

        if ( ! isset( 
    $_POST['_nonce'] ) ) {
            
    wp_die'Security check fail' );
        }

        if ( ! 
    wp_verify_nonce$_POST['_nonce'], get_ccb_nonce_secret() . $_POST['comment_post_ID'] ) ) {
            
    wp_die'There seems to be some problem adding your comment. Please contact the administrator' );
        }

        return 
    $id;
    }

    add_action'admin_init''ccb_settings' );
    function 
    ccb_settings() {
        
    register_setting'general''ccb-nonce''esc_attr' );
        
    add_settings_field'ccb-nonce''Combat Comments Bot Secret Key''ccb_field''general' );
    }

    function 
    ccb_field() {
        
    $nonce_key get_ccb_nonce_secret();
        echo 
    '<input type="text" value="' $nonce_key '" class="regular-text" name="ccb-nonce" />';
    }

    function 
    get_ccb_nonce_secret() {
        return ( 
    get_option'ccb-nonce' ) ) ? get_option'ccb-nonce' ) : 'comment';
    }
    ?>

    What it does:
    It uses Nonces security keys. When you sign into WordPress, you are granted a cookie? a little file that lives in your browser and acts as your ?backstage pass? to the WordPress admin. This prevents unauthorized people from accessing your admin and doing bad things. They don?t have the cookie, so they?re stopped at the door by the bouncer. Your cookie is tied to your user account, which ties into the WordPress capabilities system which controls what things you can and can?t do in the admin. This is authentication: verifying that the person performing an admin action is authorized to do it.
     
  7. phpbuilt

    phpbuilt Jr. VIP Jr. VIP

    Joined:
    May 16, 2011
    Messages:
    1,650
    Likes Received:
    5,208
    Occupation:
    $ from websites I own.
    Location:
    putting monkeys in paypal
    I used reverseinternet.com to look them up. They have adsense installed on other websites they own (acneclearup.com, livebloodpressure.com, addictionrescule.com)

    http://reverseinternet.com/domain/stepfront.com

    So if you want to get them back for hacking you ... join some kind of adsense click trade group and submit those websites as part of the click trade ... they loose their account and you just got back with em.
     
  8. cocoholo

    cocoholo Regular Member

    Joined:
    May 4, 2008
    Messages:
    334
    Likes Received:
    212
    Occupation:
    seeker
    Location:
    Earth
    Scan your website with
    Code:
    http://sitecheck.sucuri.net/scanner/#
    we all know that it's not easy to request a backup be restored by our host, so use xcloner to make your own backup. both database and individual files are saved.

    my site has recently hacked due to this timthumb thinggy. good thing i made a backup a week ago
     
  9. trevorhoang

    trevorhoang Power Member

    Joined:
    Mar 28, 2011
    Messages:
    712
    Likes Received:
    114
    Occupation:
    manager
    Location:
    canada
    thanks for the advice guys. i figured it out. it was from a compromised plugin called secure contact form. its now deleted.

    thanks again BHW..u guys rox
     
    • Thanks Thanks x 1
  10. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,227
    Occupation:
    Retired
    Location:
    Old Peoples Home
    If its wordpress and its appearing at the end of every post take a look at the template file for single posts (without looking I think is something like single.php). If the links are after every post, its probably something in the the template.

    Not guaranteeing it but a possibility!
     
  11. losille

    losille Junior Member

    Joined:
    Feb 22, 2011
    Messages:
    109
    Likes Received:
    95
    Thanks for letting us know so we can avoid it. The person is a serious jerk!
     
  12. booman

    booman Regular Member

    Joined:
    Mar 6, 2007
    Messages:
    478
    Likes Received:
    87
    Location:
    USA
    If it should happen again an easier fix is to download the database, do a search and replace to remove the offending inserts, then re-upload the database (of course after deleting the old one). I had a few adult auto blogs this happened to across thousands of posts and found this to be the easier than losing all the posts that were gaining me SE traffic.