WP 2.7 Can Be Hacked… FYI

Sorry whooami,

I wasn’t trying to add to your work load ??

Happy Holidays!

you too!!

Thanks for all the help in identifying the “real” problem. I have basically gone through each folder to check if the 2.7 files were there. If other files were present, they got deleted. We’ll see what happens from here.

I do know one thing… it will surely be nice to get back in Google’s good graces w/ all those shady links off the site now.

Thanks everyone who commented/contributed.
(Btw… If you can edit the title, please do so. I honestly do not want to give WP a bad name or rep.)

If other files were present, they got deleted

good move.

chowell18, I experienced a similar hack few months ago when I was running a very old version of WP. Those spam links are probably stored in your database. You will have to go to PHPAdmin, goto right database/table, open each article, remove spam links and then save the article. If you have a clean database backup to restore from then that will make your job easier. But, probably 2.3.3 database will not work with 2.7. So, your options are:

(1) Stay at WP 2.7 and clean up each article by going to PHPAdmin as described above.
(2) Go back to WP 2.3.3, restore from clean database backup, upgrade to WP 2.7 once again.

the spam links were in the footer. they were NOT inside content. Thus, not in the database.

One thing I did find was a PHP function call in several theme footers.

The call was for “_wp_footer”, which looks all fine and normal except for the leading underscore which is not normally there.

I removed these occurences, but I was not able to find where the actual “function” resides. In other words, the footer was requesting something to happen from _wp_footer, but where was it getting its instructions?

Anyone have a starting point and/or place to look? Or even a way to find it? Note: searching for that string only brought up results in the theme files.

I’d really like to get this thing entirely wiped off my site, so I appreciate any advice/tips.

You could re-upload all the 2.7 core files (do a delete and upload) just to be safe.

One thing I did find was a PHP function call in several theme footers.

Look for “base64” and “eval” in any files at all. You may find it in a couple of WP files, that’s fine. But what you really want to look for is anywhere where it might be there along with a heaping ton of gibberish looking code. Random letters. This is the usual way of hiding code.

Saw the “base” and “eval” and a bunch of the gibberish in the “Freedomwall” theme footer.php that I had uploaded at one time (it is no longer online).

The junk code was within a <php> tag and nothing else was in the file, so would it be a correct assumption to say that is part of the source at least?

Possibly, yes. I’d remove the theme entirely.

Themes that attempt to hide code from you are bad. Never use them. Some “premium” theme authors attempt to do this sort of thing to enforce their silly rules (which I consider to be linkspam), but sometimes bad sites insert malicious code into these themes in this way. That code could be a backdoor.

If you cannot see the code, then it is not trustworthy and should be deleted. Any theme that has code like this should be considered a virus and shot on sight, and then badmouthed in forums to warn users away from it. If you find one of these in the official WordPress theme directory, then report it and it will be removed.

There’s a plugin that checks themes for this sort of things and reports issues like this: https://builtbackwards.com/projects/tac/ Might be worth using.