1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

This site may be compromised

Discussion in 'BlackHat Lounge' started by lloughry, Aug 22, 2013.

  1. lloughry

    lloughry Regular Member

    Joined:
    Jan 23, 2013
    Messages:
    337
    Likes Received:
    100
    I have a site I kind of abandoned a little over a year ago, recently it popped up in a google search I did with the warning "this site may be compromised" So I logged into webmaster tools and there were no warnings... I thought that was odd.

    In going through webmaster tools I get to the keyword density report. The most common keywords are not anything remotely related to the site. Cialis, Viagra, etc are the most common keywords.

    But, I don't see them anywhere on the site. Not on posts, or pages, comments are facebook comments. The site has been compromised somehow would anyone care to share how they did it?
     
  2. download

    download Jr. VIP Jr. VIP Premium Member

    Joined:
    May 4, 2010
    Messages:
    1,271
    Likes Received:
    712
    Location:
    USA
    Did you use any "cracked" themes or plugins? That is a common reason - they may be displaying spam only when you are not logged into WordPress (or it detects that the visitor is a new IP address).
     
  3. lloughry

    lloughry Regular Member

    Joined:
    Jan 23, 2013
    Messages:
    337
    Likes Received:
    100
    none, the site is very straight up. I put it together long before I discovered BHW. I was just going through it again, web master tools lists the urls where those keywords are found and there is nothing there.
     
  4. nikiobicata

    nikiobicata Regular Member

    Joined:
    Mar 4, 2011
    Messages:
    443
    Likes Received:
    365
    Occupation:
    IT Director
    Location:
    New York
    Home Page:
    You need to search inside your code . Check View Source with your browser and search fot this keyword on this pages and you will find them
     
    • Thanks Thanks x 1
  5. lloughry

    lloughry Regular Member

    Joined:
    Jan 23, 2013
    Messages:
    337
    Likes Received:
    100
    Does this mean its coming from facebook comments? (taking out the pharma domain, it may very well be a BHW members site) *edit, a lot more showed up when I pasted than I saw in the code console... bunches of domains.

    Any thoughts on how to remove this? Oh, and prevent it on my other sites


    <div class="casualcycle2"> <p>Such funding than documents to conduct the vardenafil levitra online <a href="http://PHARMA DOMAIN" title="vardenafil levitra online">vardenafil levitra online</a> forfeiture and afford some lenders.Treat them with responsibility it often there how to use viagra <a href="http://another" title="how to use viagra">how to use viagra</a> who have simply do we!Simple log onto tough right into once it cialis <a href="http://and another" title="cialis">cialis</a> the privilege of cash quickly.Professionals and valid identification and their houses from paycheck viagra <a href="http://and another" title="viagra">viagra</a> from days if that extra cost prohibitive.They cover all made available is the quickest cialis without prescription <a href="http://and another" title="cialis without prescription">cialis without prescription</a> easiest thing important thing they need.Low fee so when money as cheap levitra online vardenafil <a href="http://and another" title="cheap levitra online vardenafil">cheap levitra online vardenafil</a> you commit to provide.Life happens to this convenience of may contact our cialis online <a href="http://and another" title="cialis online">cialis online</a> unsecured easy method for military personnel.Unlike other important for business or cialis <a href="http://again" title="cialis">cialis</a> filling out wanting paychecks.An alternative methods to deny someone tries to people viagra <a href="http://buy7-viagra.co.uk" title="viagra">viagra</a> and time comparing services like home state.Getting on friday might want the cialis <a href="http://again" title="cialis">cialis</a> value of submitting it.By tomorrow you only sit back than buy levitra <a href="http://buy4-again" title="buy levitra">buy levitra</a> knowing your gas anymore!Stop worrying about whether you before the board although not levitra <a href="http://still going" title="levitra">levitra</a> served by with an unseen medical bill.Online payday as such as fifteen minutes levitra online <a href="http://yep, more" title="levitra online">levitra online</a> using their best deal.Stop worrying about getting financing for them viagra <a href="http://viagra" title="viagra">viagra</a> and why getting it.However maybe payments they asked for unspecified personal budget cheap levitra online vardenafil <a href="http://levitra" title="cheap levitra online vardenafil">cheap levitra online vardenafil</a> even a set to plan to comprehend.</p> </div> <div id="fb-root"></div> <script> window.fbAsyncInit = function() { FB.init({appId: '205960586103305', status: true, cookie: true, xfbml: true}); }; (function() { var e = document.createElement('script'); e.async = true; e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js'; document.getElementById('fb-root').appendChild(e); }()); </script> <div id="container"> <div id="page"> <div id="header"> <p id="logo">
     
    Last edited: Aug 22, 2013
  6. lloughry

    lloughry Regular Member

    Joined:
    Jan 23, 2013
    Messages:
    337
    Likes Received:
    100
    everyone go to bed?
     
  7. nikiobicata

    nikiobicata Regular Member

    Joined:
    Mar 4, 2011
    Messages:
    443
    Likes Received:
    365
    Occupation:
    IT Director
    Location:
    New York
    Home Page:
    Is this Wordpress ? Or just html ?
     
  8. lloughry

    lloughry Regular Member

    Joined:
    Jan 23, 2013
    Messages:
    337
    Likes Received:
    100
    wordpress, still version 3.5 Thesis Theme

    plug-ins are:
    404 redirected
    Contact Form 7
    Contact Form DB
    Feedburner Email Widget
    Google Analytics
    Google Sitemap plug-in
    Jetpack
    Ultimate Tinymce
    WP youtube channel gallery
     
  9. tompots

    tompots Elite Member Premium Member

    Joined:
    Dec 11, 2011
    Messages:
    4,352
    Likes Received:
    3,955
    Gender:
    Male
    Occupation:
    Full Time Bot Developer
    Location:
    Professional Botters
    Home Page:
  10. Martin1971

    Martin1971 Senior Member

    Joined:
    Jan 7, 2013
    Messages:
    907
    Likes Received:
    281
    Location:
    Netherlands
    I think your site is hacked, maybe you used a cracked plug in...
     
  11. Goal Line Technology

    Goal Line Technology Senior Member

    Joined:
    Dec 30, 2011
    Messages:
    929
    Likes Received:
    2,157
    From where did you "get" your Thesis theme?
     
  12. HerpDerpSlerp

    HerpDerpSlerp Power Member

    Joined:
    Mar 19, 2013
    Messages:
    778
    Likes Received:
    623
    You used a cracked plugin that carried these links over.
     
  13. lloughry

    lloughry Regular Member

    Joined:
    Jan 23, 2013
    Messages:
    337
    Likes Received:
    100
    to my knowledge nothing on the site is a cracked plug-in, that said. I knew nothing about wordpress when it was set up and had it done by someone I found on odesk.

    When I was regularly monitoring this site none of this showed up which had me believing that that the site was hacked at some point and this added to the code. I will go look at the history of my plug-ins.
     
  14. UrsuAke

    UrsuAke Power Member

    Joined:
    Sep 28, 2011
    Messages:
    700
    Likes Received:
    978
    Occupation:
    SEO Specialist.
    Location:
    Romania, land of choice
    That looks like a PHP injection using WP exploits but I may be mistaken, I'm not a good programmer. Try rolling back to an older clean version of your site if you have one on backup.

    And try to install some protection plugins for safety.
     
    • Thanks Thanks x 2
  15. lloughry

    lloughry Regular Member

    Joined:
    Jan 23, 2013
    Messages:
    337
    Likes Received:
    100
    ok, so I did not have an older version of the site backed up (all my sites are now) I installed the word fence plug-in and was able to find the plug-ins that had been changed. It was share-a-holic and the contact form plug-in. uninstalled, deleted those files and re-installed clean plug-ins.

    Now when I view my source code I can not find the code I pasted above. anywhere, so I had google recrawl the site, according to webmaster tools the most common word in my site is still levitra.... When I look at the preview of my site in the godaddy control panel the header on the home page still shows these keywords and outbound links but I can not find them, I spent hours going through all of my html and php files, not just the header files.

    Any ideas on how to remove this? Or can anyone recommend a trustworthy source to remove? I don't use the site for much anymore but it's a PR3 domain that is well aged and I could easily make some money from guests posts on the site its a competitive niche.