Link to home
Start Free TrialLog in
Avatar of A Proorocu
A ProorocuFlag for Belgium

asked on

Viagra links in header

Hi experts,

Recently I saw something weird in my blog:

User generated image
Some viagra and other spam links appear in the header. The weird part is that they are visible only on google, if you browse the site they don`t appear. I skimmed the source code for them but I couldn't found anything strange.
Can you guys help me ?  

PS I run wordpress 3.3.1 with the theme: zBench 1.2.3
SOLUTION
Avatar of Mohamed Magdy
Mohamed Magdy
Flag of Egypt image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of Aaron Tomosky
Aaron Tomosky
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of A Proorocu

ASKER

I have access to everything ( fpt / source code / etc. ).
So I just dw all the content and scan it with an ordinary AV ? ( I have nod32 on my station )

@ aarontomosky i have to search for some odd links to a .js file in the source code ? If so were should I look ?
Start with loading the page in Firefox. Not your local code but the actual site. Press Ctrl+u to view page source. Look for fishyness.

With the noscript plugin, you will get a little no sign icon in the status bed of the browser. Click that to see all the js files getting loaded. Sometimes they will chain stuff so you won't see it in the page source but noscript will find it.
Nothing wierd there.

I have js:
http://www.aurelp.com/wp-includes/js/l10n.js
http://www.aurelp.com/wp-includes/js/admin-bar.js

Were can I find the noscript plugin ? ( i`m kinda noob in the wordpress thing :) )
It has nothing to do with wordpress. It's a security plugin for Firefox. I personally use this all the time. You just allow the sites you want to visit when you visit them and your pretty much protected for any malicious drive by scripts
https://addons.mozilla.org/en-US/firefox/addon/noscript/
Ok, I ran it and i get this in the bottom of the window: Scrips Currently Forbidden | < SCRIPT >: 1 | < OBJECT > : 0. How can i see what he actualy blocked ?
Click the icon for a dropup list of scripts.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Wordpress releases patches, an the virus guys write one using the exploit they just fixed. People dont update Wordpress because they are usually setup by a techy friend and they just write a blog. So it's a large easy target. I've seen it hit with infected js, that then grab your FTP passwords an infect your other websites you have access to. Pretty wicked.
Ok, so sucuri.net found the infected thing ( http://sitecheck.sucuri.net/results/aurelp.com ).

But in order to solve my problem it will cost 89$. Any idea how i can manually remove it ?
No, no...don't pay them, just use it fr diagnostics.  

This report tells us that it's not an infected JavaScript file, because the scanner would have read and reported it.  So the bad news is there is definitely a hole in the php somewhere.  The scanner also reports you are running an out of date version of Wordpress, so the first step is upgrade to current.

Next is check the page in the visual editor and switch to HTML mode to see if the spam content is visible.  If so, delete it.

Then, check and see if there is a newer version of your theme available and upgrade to that version if so.

Finally, change all passwords (hosting, database, Wordpress).

After all that, you should be clean. If the spam comes back, then you have a hole in the server or database.
Also change your FTP password. Then scan your computer since you view your site a lot, you may have gotten something
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.