Injected HTML on page Hack
-
I am trying to fix a weird issue concerning some text which shows up over the top of images and valid text. The text blocks are links but I don’t know how they are getting in or where they come from. The site has recently been hacked. See this page for example.
In firebug’s inspector, the code block that creates these links is nested in an article tag in the related posts section of the page. The div is position:absolute to move it up the page. The text block tends to jump up and down occasionally.
It’s been nearly a week since this was first spotted.
Here is the history of how I tried to fix it.
First updated WordPress, all plugins and installed Wordfence. This made the text blocks go away and it appeared fixed, but about an hour later they were back.Next deleted all themes not being used. Installed Sucuri and ran malware scan but this did not find anything. By this time I had already located and removed what I discovered to be a back-door exploit file (2 in fact). Removed many other files named LICENSE.php, error_log.txt that appeared many times throughout the file system. Checking against a fresh copy of WordPress found and removed several other files that appeared malicious. All these measures did not remove the text.
Looked in the database and the codebase for words from the text blocks (which is in German incidentally). Found nothing except the sitemap.xml file was full of these rogue links to German sounding site locations. Deleted the sitemap.xml file.
Finally after a full back-up deleted everything out of the root directory for the site except the wp-content folder and reinstalled WordPress from scratch. The site came back without the funny text-blocks for about one hour they did not appear. As soon as the site was back up we changed the log in password and did some configuration of Wordfence and Sucuri. After what could have been an hour the text was back. Changed the database password, albeit after the fact. We are back to square one and the only option seems to be to start again creating the content, which will set us back a week.
Does anyone recognize this or managed to solve similar issue. I would be very greatful to here about it if so. Needless to say I’ve been constantly searching and reading posts but while some were helpful in troubleshooting, we cannot cure it yet.
- The topic ‘Injected HTML on page Hack’ is closed to new replies.