Hacked? Random .php links…

Looks like someone decided to do some naughty SEO on your site by hacking it O.o … it looks like its just in your footer, just go into that file and delete everything after </html> and it should go.

Then change all your log in info for the server if you can.

and then you need to find out where the actual problem lies. Here’s some good reading. If you don’t find out how you were hacked, it’ll just keep happening

https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://ocaoimh.ie/did-your-wordpress-site-get-hacked/
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://www.snipe.net/2010/01/when-wordpress-gets-hacked/

My Experiences with being hacked:
https://www.rvoodoo.com/2010/02/the-dreaded-base64-wordpress-hack-and-other-hacks-too/

And when you’re done:
https://codex.www.ads-software.com/Hardening_WordPress

Thanks.

I looked through the footer file in my theme, but couldn’t find anything after the </HTML>.

Is there any other place the code could be hiding?

In the themes root folder I did find an index.php file with the contents…

<?php
// Silence is golden.
?>

Could this have something to do with it?

Ohhh k, This is the poblem with your footer. You can edit the links from footer.php file. You can edit the file from your WordPress admin panel.

If you are using the free design, then it may be sponsorers which you are not allowed to remove. I you do so, your wordpress theme will stop working.

One more thing, is are the links at the footer strange or you already know the links and are in your site branch?

The code could be generated through a different file, if you aren’t seeing anything in your footer. The links above should give you a clue on how to find the file. Sometimes js or php files can be snuck onto your server which will insert links

Are you sure that your site has been hacked?

Still having trouble finding the hack. The below is in the footer file.

<!-- Footer -->
		<td id="footer" colspan="<?php echo $cols; ?>">	

		<p>
		<?php echo bfa_footer($bfa_ata_footer_style_content); ?>
		</p>
		<?php if ($bfa_ata_footer_show_queries == "Yes - visible") { ?>
		<p>
		<?php echo $wpdb->num_queries; ?><?php _e(' queries. ','atahualpa'); ?><?php timer_stop(1); ?><?php _e(' seconds.','atahualpa'); ?>
		</p>
		<?php } ?>

		<?php if ($bfa_ata_footer_show_queries == "Yes - in source code") { ?>
		<!--
		<?php echo $wpdb->num_queries; ?><?php _e(' queries. ','atahualpa'); ?><?php timer_stop(1); ?><?php _e(' seconds.','atahualpa'); ?>
		-->
		<?php } ?>		

		<?php wp_footer(); ?>
		</td>
		<!-- / Footer -->

or in my main index.php, does this look right?

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>

I noticed that my index.php file was edited on 8-2. The first day I noticed the problem. The above post has everything inside the index.php file.

Nevermind. Stupid mistake. It was below the fold of my index.php. Now I just have to get rid of it.

Hmm. Even after I manually remove it and save the file, it reappears. Still working on it.

Fixed.