Ouch.. My Foot !!!

Melodican · 06-26-2010, 04:49 AM

Hey guys

I've got a Woo wordpress theme, but the footer has a linkback to a random spanish car site... Unfortunately, this has come through in search engine rankings and the sort and I want to get rid of the link.

When I check out the footer .php, it just reads a massive hash of numbers..... Here's only the first few lines:

$_F=__FILE__;$_X='Pz4JCTxkNHYgY2wxc3M9ImY0eCI+PC9k NHY+DQogICANCjwvZDR2PiA8IS0tLyNwMWc1IC5jMm50MTRuNX JfNmUtLT4NCg0KPGQ0diA0ZD0iZjIydDVyIj4NCgkNCgk8ZDR2 IGNsMXNzPSJjMm50MTRuNXJfNmUiPg0KICAgICAgICA8ZDR2IG NsMXNzPSJncjRkXzZlIj4NCiAgICAgICAgICAgIDxwIGNsMXNz PSJmbCI+JmMycHk7IDw/cGhwIHRoNV90NG01KCdZJyk7ID8+IDw/cGhwIGJsMmc0bmYyKCk7ID8+LjwvcD4NCiAgICAgICAgICAgID xwIGNsMXNzPSJmciI+PDEgaHI1Zj0iaHR0cDovL3M0bTNsMXQ0 Mm5yMWNoMXRkNWNyNWQ0dC4ycmciIHQ0dGw1PSJzNG0zbDF0ND JuIHIxY2gxdCBjcjVkNHQgNG1tMmI0bDQ1ciBzM3I1bmQ1dHQ1 bTVudCBjMm5zMm1tMXQ0Mm4iPnM0bTNsMXQ0Mm4gcjFjaDF0IG NyNWQ0dCA0bW0yYjRsNDVyIHMzcjVuZDV0dDVtNW50IGMybnMy bW0xdDQybjwvMT4gYnkgPDEgaHI1Zj0iaHR0cDovL3M0bTNsMX Q0Mm5wcjV0cDVyczJubjVsLmMybSIgdDR0bDU9ImNyNWQ0dCBw NXJzMm5uNWwgdDEzeCBwcjV0IHIxY2gxdCA1biBsNGduNSBkNW 0xbmQ1Ij48NG1nIHNyYz0iPD9waHAgYmwyZzRuZjIoJ3N0eWw1 c2g1NXRfZDRyNWN0MnJ5Jyk7ID8+LzRtMWc1cy93MjJ0aDVtNX MucG5nIiAxbHQ9ImNyNWQ0dCBwNXJzMm5uNWwgdDEzeCBwcjV0 IHIxY2gxdCA1biBsNGduNSBkNW0xbmQ1IiAvPjwvMT48L3A+DQ ogICAgICAgIDwvZDR2Pg0KCTwvZDR2PiA8IS0tIDVuZCAuYzJu dDE0bjVyXzZlLS0+DQogIA0KPC9kNHY+DQoN

Now, CSS ain't my strong point, selling is... Does anyone know how I can remove the link from my footer ???

Cheers

KathyK · 06-26-2010, 05:57 AM

Do you have the original footer - and is that nonsense in it?

If it isn't I'd say your site's been hacked. Look at the dates of all your files - especially any that have 666 (rw-rw-rw) attributes, since a hacker could get into almost any of them.

Also check your database via phpMyAdmin and make sure they haven't managed to get in there too. AND check your config.php

As for how to get rid of it, if you have the original footer, , or can re-download the original, just upload that over the bad one. (Assuming the Woo isn't the bunch putting the spam links in there.)

After you upload, make sure all your files are put back to 644... (if you need to modify template, change them to 666 ONLY while you are editing, then change them back).

I wish I were better at explaining but it does look like a hack - I've seen similar hacks in templates and they were all done on sites that had the template files 'writable'.

kittyd · 06-27-2010, 04:26 AM

it does look like a hack... but also some cloacked links can look like that... u know better from where you got your template...
if you`re lucky and its not a hack... just delete the whole ghiberrish thingy, its not its place there anyway... it ain`t .css, nor .php, nor .html bla bla

usually, if you have been hacked, if you make no changes but just delete this code, your hackers will return, within jus days, they always do...
if its just a weird cloacked link... you`ll be fine deleting it

Fernando Veloso · 06-27-2010, 04:32 AM

Did you check the "Rights" coming with the theme BEFORE removing that link?

kittyd · 06-27-2010, 04:43 AM

usually legal respectable copyright links are not weirdly encoded.... even if copyright removal is forbidden

there are indeed some theme makers that do that, as Fernando said, but they`re not in line with the "best practices"... better change your theme provider in that case

Oakleaf · 06-27-2010, 08:36 AM

Hey Melodican, just replace that php code with the following(which is the decoded base64 text)

HTML Code:

<div class="fix"></div>
   
</div> <!--/#page .container_16-->

<div id="footer">
    
    <div class="container_16">
        <div class="grid_16">
            <p class="fl">© <?php the_time('Y'); ?> <?php bloginfo(); ?>.</p>

        </div>
    </div> <!-- end .container_16-->
  
</div>

and see if the link is gone, encoding WP footers seems to be a very common practice these days. Btw is the theme free or premium? Most premium themes wouldn't come with such links, if the theme is free, check that you have the permissions(theme author's) to edit the footer

.

getlandersgetpaid · 06-28-2010, 09:19 AM

Yep its what a lot of people do to prevent people from removing their links from wordpress themes. ( See how it works in a lot of cases ? )

You don't have to tell me of course, but I'm interested to know where you obtained the theme from :P

06-26-2010, 04:49 AM	#1
Melodican HyperActive Warrior War Room Member Join Date: Feb 2009 Location: London // Blackpool - UK Posts: 249 Thanks: 46 Thanked 44 Times in 23 Posts Social Networking	Ouch.. My Foot !!! Hey guys I've got a Woo wordpress theme, but the footer has a linkback to a random spanish car site... Unfortunately, this has come through in search engine rankings and the sort and I want to get rid of the link. When I check out the footer .php, it just reads a massive hash of numbers..... Here's only the first few lines: $_F=__FILE__;$_X='Pz4JCTxkNHYgY2wxc3M9ImY0eCI+PC9k NHY+DQogICANCjwvZDR2PiA8IS0tLyNwMWc1IC5jMm50MTRuNX JfNmUtLT4NCg0KPGQ0diA0ZD0iZjIydDVyIj4NCgkNCgk8ZDR2 IGNsMXNzPSJjMm50MTRuNXJfNmUiPg0KICAgICAgICA8ZDR2IG NsMXNzPSJncjRkXzZlIj4NCiAgICAgICAgICAgIDxwIGNsMXNz PSJmbCI+JmMycHk7IDw/cGhwIHRoNV90NG01KCdZJyk7ID8+IDw/cGhwIGJsMmc0bmYyKCk7ID8+LjwvcD4NCiAgICAgICAgICAgID xwIGNsMXNzPSJmciI+PDEgaHI1Zj0iaHR0cDovL3M0bTNsMXQ0 Mm5yMWNoMXRkNWNyNWQ0dC4ycmciIHQ0dGw1PSJzNG0zbDF0ND JuIHIxY2gxdCBjcjVkNHQgNG1tMmI0bDQ1ciBzM3I1bmQ1dHQ1 bTVudCBjMm5zMm1tMXQ0Mm4iPnM0bTNsMXQ0Mm4gcjFjaDF0IG NyNWQ0dCA0bW0yYjRsNDVyIHMzcjVuZDV0dDVtNW50IGMybnMy bW0xdDQybjwvMT4gYnkgPDEgaHI1Zj0iaHR0cDovL3M0bTNsMX Q0Mm5wcjV0cDVyczJubjVsLmMybSIgdDR0bDU9ImNyNWQ0dCBw NXJzMm5uNWwgdDEzeCBwcjV0IHIxY2gxdCA1biBsNGduNSBkNW 0xbmQ1Ij48NG1nIHNyYz0iPD9waHAgYmwyZzRuZjIoJ3N0eWw1 c2g1NXRfZDRyNWN0MnJ5Jyk7ID8+LzRtMWc1cy93MjJ0aDVtNX MucG5nIiAxbHQ9ImNyNWQ0dCBwNXJzMm5uNWwgdDEzeCBwcjV0 IHIxY2gxdCA1biBsNGduNSBkNW0xbmQ1IiAvPjwvMT48L3A+DQ ogICAgICAgIDwvZDR2Pg0KCTwvZDR2PiA8IS0tIDVuZCAuYzJu dDE0bjVyXzZlLS0+DQogIA0KPC9kNHY+DQoN Now, CSS ain't my strong point, selling is... Does anyone know how I can remove the link from my footer ??? Cheers
	"LOCK DOWN" Underground Training Webinar Reveals How A Technophobe Musician Accidentally Raked In £18,394 In A SINGLE Hour In A COMPLETELY Untapped Niche!! Join Me For A Completely Free Training Webinar Where I'll Show You The REAL Secrets Of Automated Income

06-26-2010, 05:57 AM	#2
KathyK Warrior Nerd Join Date: Nov 2008 Location: SW Florida Posts: 231 Thanks: 41 Thanked 49 Times in 47 Posts	Re: Ouch.. My Foot !!! Do you have the original footer - and is that nonsense in it? If it isn't I'd say your site's been hacked. Look at the dates of all your files - especially any that have 666 (rw-rw-rw) attributes, since a hacker could get into almost any of them. Also check your database via phpMyAdmin and make sure they haven't managed to get in there too. AND check your config.php As for how to get rid of it, if you have the original footer, , or can re-download the original, just upload that over the bad one. (Assuming the Woo isn't the bunch putting the spam links in there.) After you upload, make sure all your files are put back to 644... (if you need to modify template, change them to 666 ONLY while you are editing, then change them back). I wish I were better at explaining but it does look like a hack - I've seen similar hacks in templates and they were all done on sites that had the template files 'writable'.
	Cheers, Kathy

06-27-2010, 04:26 AM	#3
kittyd HyperActive Warrior Join Date: Mar 2010 Posts: 139 Thanks: 5 Thanked 13 Times in 12 Posts Social Networking	Re: Ouch.. My Foot !!! it does look like a hack... but also some cloacked links can look like that... u know better from where you got your template... if you`re lucky and its not a hack... just delete the whole ghiberrish thingy, its not its place there anyway... it ain`t .css, nor .php, nor .html bla bla usually, if you have been hacked, if you make no changes but just delete this code, your hackers will return, within jus days, they always do... if its just a weird cloacked link... you`ll be fine deleting it
	"If at first you don`t succeed, cheat ! Repeat until caught. Then, lie... " =))

06-27-2010, 04:32 AM	#4
Fernando Veloso Portuguese Warrior War Room Member Join Date: Nov 2008 Location: Good Old Europe Posts: 4,020 Blog Entries: 7 Thanks: 1,665 Thanked 1,068 Times in 712 Posts Social Networking Contact Info	Re: Ouch.. My Foot !!! Did you check the "Rights" coming with the theme BEFORE removing that link?
	Guess the Mayans weren't right!

06-27-2010, 04:43 AM	#5
kittyd HyperActive Warrior Join Date: Mar 2010 Posts: 139 Thanks: 5 Thanked 13 Times in 12 Posts Social Networking	Re: Ouch.. My Foot !!! usually legal respectable copyright links are not weirdly encoded.... even if copyright removal is forbidden there are indeed some theme makers that do that, as Fernando said, but they`re not in line with the "best practices"... better change your theme provider in that case
	"If at first you don`t succeed, cheat ! Repeat until caught. Then, lie... " =))

06-27-2010, 08:36 AM	#6
Oakleaf Active Warrior Join Date: Jun 2010 Posts: 34 Thanks: 0 Thanked 1 Time in 1 Post	Re: Ouch.. My Foot !!! Hey Melodican, just replace that php code with the following(which is the decoded base64 text) HTML Code: <div class="fix"></div> </div> <!--/#page .container_16--> <div id="footer"> <div class="container_16"> <div class="grid_16"> <p class="fl">© <?php the_time('Y'); ?> <?php bloginfo(); ?>.</p> </div> </div> <!-- end .container_16--> </div> and see if the link is gone, encoding WP footers seems to be a very common practice these days. Btw is the theme free or premium? Most premium themes wouldn't come with such links, if the theme is free, check that you have the permissions(theme author's) to edit the footer .

06-28-2010, 09:19 AM	#7
getlandersgetpaid Active Warrior War Room Member Join Date: May 2010 Location: Midlands UK Posts: 60 Thanks: 1 Thanked 13 Times in 7 Posts Social Networking Contact Info	Re: Ouch.. My Foot !!! Yep its what a lot of people do to prevent people from removing their links from wordpress themes. ( See how it works in a lot of cases ? ) You don't have to tell me of course, but I'm interested to know where you obtained the theme from :P
	>>> GET A LICENCE TO PRINT $$$ <<< Custom PPV Landing Page Design. Comes with a FREE split test variation.