WordPress site hacked

  • I have been helping support a server and we are having a problem with a WordPress site we have. Been reading about all the Cialis and Viagra stuff that has been popping up on sites and of course ours has it also. It only seems to show up when you rss the site. When I rss it with google reader I see the Cialis and Viagra stuff but it is not a link, just text. The site is https://www.lib.clemson.edu/weblog/. When I look at it in a google feed reader I see this..”ow To Buy ViagraOnline Pharmacy CialisCialis ViagraCialis Online CanadaCialis No PrescriptionViagra Sales OnlineDiscount CialisViagra By MailViagra RxGeneric ViagraBuy Viagra CanadaCanadian Pharmacy ViagraViagra For Sale OnlineViagra LevitraBuy-cialis.htmCialis ForumBuy Cialis CheapCialis PurchaseViagra UseCialis By MailCheap Generic CialisCialis On-lineLow Cost CialisViagra DoseViagra 25mgFree CialisCialis Rug Side EffectsBuy-cialis.htmViagra PfizerBuy Discount CialisGeneric Viagra For SaleViagra PrescriptionsCialis ViagraTadalafil CialisProfessional CialisHow To […]”.

    Problem is I can’t find where it is calling it from. I think we have closed up the backddoor where it came in at. We are running 2.82. If I need to add anything else please let me know and thanks ahead of time for any help…

Viewing 3 replies - 1 through 3 (of 3 total)

  • It’s hidden in your post titled “Test”, for starters.

    <div id="block_code"><font style="overflow: hidden; position: absolute; height: 0pt; width: 0pt;">

    About five miles of spam attached to that.

    Thread Starter rwkyle

    (@rwkyle)

    Thanks for the help ClaytonJames but where did you find that? I can’t find that string anywhere. I have deleted the test posts and the text still shows up on the last legitimate post but I still can’t find the string you posted.

    Thanks.

    I am fighting the same hack. What is happening is code is being run from your cgi-bin directory. You have to find the cgi-file and then find out which template file it is in.

    For example, this is how I found mine:

    find . -name \*.php -exec grep -l “cgi-bin\/wp-head” {} \;

    I am still unsure how they hacked the code at this point though.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WordPress site hacked’ is closed to new replies.