Help! Worpress Link Injection

My site hpathy.com is facing a link injection attack. The links are only visible to search engines and not in browsers and I realized this on seeing a site cache page.

I am unable to find it's source and need help.

  • minglemooch
    • Site Builder, Child of Zeus

    Hi @Hpathy

    Mmmm! Sounds familiar. This also happened to me once. It doesn't have any affect in the browsers BUT when ever you link to your site from a search engine it redirects to something else or says the site is a bad site.

    Not to worry, usually what happens that a hacker injected some code in you wp-config.php file.

    Just go to your wp-config.php file and look somewhere at the beginning of the file for any bad coding like Base64 or something like that
    (Usually a very long code)

    Just delete that coding and you'll be fine again.

    To stop that from happening again I suggest that you change the file permission to 400 and inst a plugin called :

    BulletProof Security http://wordpress.org/extend/plugins/bulletproof-security/

    Let me know if that helps.

    Thanks
    MingleMooch

  • minglemooch
    • Site Builder, Child of Zeus

    Here is another solution for you:

    - Log on to your server via SSH (FTP will not work for this)
    - Navigate to your blog directory
    - Type this command in your file search:
    grep -R “base64? *.php | awk ‘{ print $1 }’

    What this does is search for instances of the string “base64? in all your PHP files of your blog, then shrink it down so that it doesn’t fill up your whole screen. If you see nothing come up, you’re probably ok. If you see anything, it might mean you’re infected (if you see a bunch of things show up, you’re most certainly infected).

    Let’s assume you found a couple results. We need to see if they’re infected, so pick a couple at random and inspect them

    You’re looking for “eval(base64_decode(….” in the beginning:

    If you found any of those codding, just delete it and all will be good.

    If you still struggle I could have a look for you.

    Thanks
    MingleMooch

  • Arun Basil Lal
    • New Recruit

    Hey @Hpathy,

    I have had this and it was some base64 code in the index.php (of WordPress installation, not theme).

    Search for such instances of base64 or even better report this to your host. They should be able to search for it and point it out for you. I was (and is) on Host gator at that time, and they gave me a huge list which helped me remove it out completely.

    Good luck!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.