somoene inserted links on my site

[femdomdestiny]

Hmm...I've discovered unwanted links on one of my wordpress blogs. It seems they are placed in footer.php. Below is a print screen of the code.

Does anyone have an idea how this was done and how to protect it in the future?
The theme is Generate Press and they are not having a real answer, denying it was a problem with a theme.

This site has no Wordfence plugin installed,but the other one with it, had the same problem.

thanks



<div style="display:none">
<p>Are you looking for free Arab porn websites? The Internet is full of porn sites but what's the difference between porn and porno sites? Here are a few things to look out for.
Porn sites feature girls and women that are mostly dressing up to look like women and for men. They are not dressed sensuously or they are not made to look like they are being intimate with their partners.Not only are the girls dressed in something other than a short skirt, they are also often younger than the man who is watching them. And there are times when the young woman in the videos could be his girlfriend.</p>
<p><a href="*ttps://xnxxarabsex.com/categories/سكس-عربي/">arab sex</a></p>
<p><a href="*ttps://sexe-libre.org/pokimane-sex-tape-nudes-twitch-streamer">pokimane nudes</a></p>
<p><a href="*ttps://sexsaoy.com/">arab sex stories</a></p>
<p><a href="*ttps://aflamaljins.com">aflamaljins.com</a></p>
<p><a href="*ttps://russiainporn.com">russiainporn.com</a></p>
<p><a href="*ttps://afdalsex.com/">afdal sex</a></p>
<p><a href="*ttps://overpic.com/">mature sex</a></p>

[sandman!]

Wordfence might be able to clear that up , I woild sugges you update all your plugins and change all your passwords also.

[zerovic]

Hi,

Make sure your Wordpress and plugins are up to date. Not only the site that got injected but all sites on the server.

I would also suggest listing all newly edited files on your host, to find all affected files.

Here's a script that will do this for you

Quote:

<?php

function aasort (&$array, $key) {
$sorter=array();
$ret=array();
reset($array);
foreach ($array as $ii => $va) {
$sorter[$ii]=$va[$key];
}
asort($sorter);
foreach ($sorter as $ii => $va) {
$ret[$ii]=$array[$ii];
}
$array=$ret;
}

function rglob($pattern, $flags = 0) {
$files = glob($pattern, $flags);
foreach (glob(dirname($pattern).'/*', GLOB_ONLYDIR|GLOB_NOSORT) as $dir) {
$files = array_merge($files, rglob($dir.'/'.basename($pattern), $flags));
}
return $files;
}

$dev = array();

$result = rglob('../*.php');
foreach($result as $file) {
$dev[] = array("file" => $file, "date" => date("Y-m-d H:i:s", filemtime($file)));
}

aasort($dev,"date");

foreach($dev as $test) {
// add a date here, let's say, 2022-04-20 to list the files modified after the 20th of April
if($test['date'] > "2022-04-20") {
echo "<div id=\"line\"><div id=\"file\">" . $test['file'] . "</div><div id=\"date\">" . $test['date'] . "</div></div><br />";
}
}

?>

Sorry, it's a bit messy, but it will do the job.

Cheers,
z

[Denny]

https://www.malcare.com/blog/spam-li...ion-wordpress/

[jscott]

I've had that before, for me it was some old outdated plugins that were exploited.
Goodluck fixing, it sure sucks these hacker/scammers stealing space on your sites

[hausarzt]

Also make sure not to use any nulled themes and plugins. Only buy software from verified sources.

[AmeliaG]

It is likely malicious code in little bits of Javascript. WordFence may be able to tell you the specific files, but, to keep them from coming back, you need to update everything, delete unused themes like old exploitable default themes, and upgrade to current php. And report whatever affiliate is doing this to any program where you see the affiliate ID.

Hope this helps. Good luck.

[lock]

Wordpress is just non stop problem after problem. I like it as easy but always trashed by hackers.

[zijlstravideo]

Quote:

Originally Posted by AmeliaG

report whatever affiliate is doing this to any program where you see the affiliate ID.

See Clickadu javascript embeds on those sites:
h*ttps://stagepopkek.com/lv/esnk/1836018/code.js
h*ttps://mafrarc3e9h.com/lv/esnk/1839026/code.js
etc etc

I think the number in the javascript url is the affiliate's website/domain ID (1836018, 1839026 etc).

[natkejs]

Would be interesting to know what other plugins you are running. I've seen similar issues in the past with certain cache plugins.

Do make sure your plugins are updated and Google each one of them to see if you find people with similar issues.

[lakerslive]

its XSS injection. I've had this happen ACROSSS my network of adult porn blog sites.

I tried all the plugins, etc bs none will work

Solution: GTFO of wordpress!

I had a custom built script for myself. Fast, no updates required ever and open source. NO MORE worrying about XSS injections ever!

[AmeliaG]

Quote:

Originally Posted by natkejs

Would be interesting to know what other plugins you are running. I've seen similar issues in the past with certain cache plugins.

Do make sure your plugins are updated and Google each one of them to see if you find people with similar issues.

Do you recall which cache plugins allowed the exploit or were the exploit files just hiding in the cache?

[brassmonkey]

secure your admin. there are files still that reveal info

[adultchatpay]

Quote:

Originally Posted by hausarzt

Also make sure not to use any nulled themes and plugins. Only buy software from verified sources.

Agree, they usually inject a lot of shits.

[RyuLion]

Also make sure none of your files are set with 777 permissions.

[natkejs]

Quote:

Originally Posted by AmeliaG

Do you recall which cache plugins allowed the exploit or were the exploit files just hiding in the cache?

Can't remember, was either WP Super Cache or W3 Total Cache. It was years ago and the problem was fixed in the next update, think 2016 or something like this.

The code was injected into cached files so luckily it was quite easy to turn off caching and clean those directories.