Help with a hacked WP site

13 replies
Someone put some small clickable ads at the bottom of my site and I can not find the code to get rid of it, (see picture) I looked at the index, style sheet and footer files with no luck, any suggestions would be greatly appreciated.
#acked #site
  • Profile picture of the author PhilHardaker
    Hi, I found your website, and you have bigger problems that just that. There is Russian-looking writing on the top. If I access it from a foreign country, it is redirected.
    WTF is lawyer-26? Is that even legitimate?
    You said 'your' site: Are you Mark Robinson attorney in Toledo?
    Sorry this post is looking a little suspicious!
    {{ DiscussionBoard.errors[11111850].message }}
    • Profile picture of the author tjs1954
      Originally Posted by PhilHardaker View Post

      Hi, I found your website, and you have bigger problems that just that. There is Russian-looking writing on the top. If I access it from a foreign country, it is redirected.
      WTF is lawyer-26? Is that even legitimate?
      You said 'your' site: Are you Mark Robinson attorney in Toledo?
      Sorry this post is looking a little suspicious!
      The site is Mark Robinson Law dot com he is my lawyer here in Toledo and I built the website for him. I don't know what you mean about lawyer-26? When I look at it in Firefox it looks normal except for the links at the bottom.
      {{ DiscussionBoard.errors[11111969].message }}
      • Profile picture of the author PhilHardaker
        Well, you didn't provide a url before, so I searched with google for this double exact string:
        "these men ask for just the same" "this office is dedicated to seeing"
        and I got one result,
        http:
        //
        lawyer-26.xyz/mark-robinson-attorney-toledo
        It looks bogus. I broke up the link because I think the admins will delete my post...

        Ok now that you provided the real link, I view source and see the spam links inside a paragraph with class name "art-page-footer".
        Are you using a footer widget?
        Do you know how to search the template directory for files with that string?
        Do you know how to search the database for that string?
        I am guessing you will find it in one of those places!
        {{ DiscussionBoard.errors[11112558].message }}
        • Profile picture of the author tjs1954
          Phil, I didn't see the code in the style sheet footer area but I did find something in the database I have never seen before, can I delete the entry?
          {{ DiscussionBoard.errors[11112802].message }}
  • Profile picture of the author TomtheOtter
    Have you tried scanning with Sucuri or Wordfence? These two free plugins pick most malware up.

    If redirects are happening it sounds like your htaccess file is infected too.

    It sometimes takes a lot of work to totally clean up a wordpress installation.
    {{ DiscussionBoard.errors[11112025].message }}
    • Profile picture of the author tjs1954
      I scanned it with Wordfence and it didn't find anything, I'll try Sucuri and it found this;
      Example of .htaccess code doing the redirection

      Anyone coming from a search engine, gets redirected to a russian site:
      RewriteEngine On RewriteOptions inherit RewriteCond %{HTTP_REFERER} .*(msn|altavista|ask|google|bing|yahoo).*$ [NC] RewriteRule .* http://wp-twitt.ru/wp-image?5 [R,L]
      {{ DiscussionBoard.errors[11112062].message }}
      • Profile picture of the author tjs1954
        This is what my .htaccess file looks like, what should I remove?
        # BEGIN WordPress
        <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresByType image/jpg "access plus 1 year"
        ExpiresByType image/jpeg "access plus 1 year"
        ExpiresByType image/gif "access plus 1 year"
        ExpiresByType image/png "access plus 1 year"
        ExpiresByType text/css "access plus 1 month"
        ExpiresByType application/pdf "access plus 1 month"
        ExpiresByType text/javascript "access plus 1 month"
        ExpiresByType text/html "access plus 2 hours"
        ExpiresByType image/x-icon "access plus 1 year"
        ExpiresDefault "access plus 6 hours"
        </IfModule>
        Options -Indexes
        Header set X-Endurance-Cache-Level "2"
        <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /
        RewriteRule ^/wp-content/endurance-page-cache/ - [L]
        RewriteCond %{REQUEST_METHOD} !POST
        RewriteCond %{QUERY_STRING} !.*=.*
        RewriteCond %{HTTP_COOKIE} !(wordpress_test_cookie|comment_author|wp\-postpass|wordpress_logged_in|wptouch_switch_toggle |wp_woocommerce_session_) [NC]
        RewriteCond %{DOCUMENT_ROOT}/wp-content/endurance-page-cache/$1/_index.html -f
        RewriteRule ^(.*)$ /wp-content/endurance-page-cache/$1/_index.html [L]
        </IfModule>
        <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /
        RewriteRule ^index\.php$ - [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.php [L]
        </IfModule>

        # END WordPress
        {{ DiscussionBoard.errors[11112067].message }}
      • Profile picture of the author TomtheOtter
        Yep. Get rid of that line for a start. This makes any traffic coming from one of those referers redirect to that Russian website.

        Have a look at the Wordpress Codex site to see how your htaccess file should look https://codex.wordpress.org/htaccess

        Once you've sorted that out you need to work out how the hackers amended your htaccess file. Do you have any outdated plugins or themes. Get rid of anything unnecessary.

        Have a look in the parent directory for your site. There may be directories in there that have loads of dodgy code. When hackers gain access to your site it's unlikely they change just one thing.
        {{ DiscussionBoard.errors[11112145].message }}
        • Profile picture of the author tjs1954
          get rid of which line? Tom
          {{ DiscussionBoard.errors[11112153].message }}
  • Profile picture of the author yukon
    Banned
    Odds are it's hidden base64 code. Here's more info. on finding and fixing the problem (spam links).

    Read that page (link above), let me know If you still need help.
    Signature
    Hi
    {{ DiscussionBoard.errors[11112076].message }}
    • And id you are not technical, hire sucuri to clean the hack.

      A hacked website MUST be cleaned. Its also bad for seo.

      And maybe there are backdoors in the files somewhere ...
      {{ DiscussionBoard.errors[11112188].message }}
  • Profile picture of the author yukon
    Banned
    You're over complicating this.

    It's a wordpress site, so, odds are you've installed a free plugin or theme that is preloaded with spam/links.

    Read the link I've already posted... turn off plugins, one at a time, change back to the default theme. This will tell you where the problem is located.
    Signature
    Hi
    {{ DiscussionBoard.errors[11112923].message }}
    • Profile picture of the author tjs1954
      I created the site a couple years ago with all the plugins, those links just recently showed up, I switched back to a default theme and uninstalled WP then reinstalled switched back to the law theme and they are still there.
      {{ DiscussionBoard.errors[11112932].message }}

Trending Topics