Spam link in Footer! Not the usual credit links

check your theme files?

start with footer.php since its in the footer of the site.

is this a new link or something perhaps you missed before? you dont indicate either way. there are ‘sponsored’ themes, and they contain crap like that, as well as obfuscated code to make it a game when you want to remove the links.

Thanks for your reply,

It wasn’t there before. This is the Amazing Grace theme. It’s used a lot and there aren’t usually links like this with this theme.

The URL is https://www.running-contacts.com/rcblog/

I looked in footer.php the URL seems to appear where there is

and <?php wp_footer(); ?> I don’t think that’s original.

See below Footer.php

<?php get_sidebar(); ?>
</div>

<div id=”footer”>

<div id=”credits”>

<div id=”ftnav”>
<span class=”rss”>” title=”<?php _e(‘Subscribe to RSS’); ?>”><?php _e(‘<abbr title=”Subscribe to RSS”>RSS</abbr>’); ?></span>
</div>
<small>Copyright © 2008 All rights reserved. <?php bloginfo(‘name’); ?> design by Vladimir Prelovac and <?php wp_footer(); ?>.</small>
</div>
</div>

</body>
</html>

I did a file compare of functions.php

The original had (just a comment?):
// register widgetized sidebars

Now replaced with:
require_once(“theme_licence.php”); add_action(‘wp_footer’,’print_footer’);

and also added was:
function decode_it($code) { return base64_decode(base64_decode($code)); } require_once(pathinfo(__FILE__,PATHINFO_DIRNAME).”/start_template.php”);

I don’t know what any of that means but that seems suspicious. I’ll check some of the other files….

Anything with a base64_decode always looks suspicious to me.

Looks like theme_licence.php and start_template.php might have something to do with it – I’d have a look at those.

And if all this stuff is part of the theme as its author is distributing it, I’d be inclined to try a different theme.

I have unzipped the original theme and checked against the current files. So far…

theme_license.php isn’t part of the original theme at all

It is a now long string of code like this:
<?/* asdklnasdfknasdf923rjpidnf…..etc

start_template.php also isn’t part of the theme and is also code:
$start = ‘Wm5WdVkzUnBiMjRnYzNSaGNuUmZkR1Z0Y0d4aGRH…..etc

functions.php and sidebar.php have been changed and include
base64_decode

footer.php has been changed also

I guess I’ll check them all and upload th correct versions.

Those certainly don’t come with the theme, it’s what i use on my site.

If new files are in the theme folder, then there are clearly some permissions issues. In order to write (add a file) to your server there must be write permissions, or an exploitable file that allows creation of files.

What’s the best way to check that or set them correctly? Or is that a big question? Looking with Filezilla the folder that the conatains the blog has permissions as drwxrwsr-x Inside of that the 3 WP folders (admin, content, includes) are the same drwxrwsr-x

.htacccess is -rw-r–r–
most of the others are -rw-rw-r–
wp-config-sample.php is -rw-r–r–

Themes folder is drwxrwsr-x
amazing-grace folder is also drwxrwsr-x

within that folder the php files are all -rw-rw-r–

Is that correct or a problem? Thanks

Create a subfolder in your main site directory (test, or whatever you like), upload a fresh copy of WordPress into that folder, compare the permissions to your current install..

I’d say that seems the easiest approach… (by comparison).

I’m having the same problems with the “techified” theme. it’s got “Copyright ? 2009. Techified theme by Cell Phones. Supported by BlueHost Web Hosting, Verizon Wireless, T-Mobile & Sprint” with 6 links to those sites. Now I’d rather just have “Powered by WordPress” and possbily the author bug I’m lost on correcting this. Does anyone have an idea on fixing this?
Thanks,

Al.