I have a wordpress website, along with some of the plugins. I use wordpress-seo plugin for the SEO purposes.
While in google webmaster tools, I found issue with my sitemap. On exploring further, I found in the source some code gets added to the bottom of the my sitemap, which starts with a div having id hideMeya.
Then adds few links and a script. I have googled for the problem and found some idea of the problem. I have downloaded all the files. But I don’t see a mention of this code somewhere. I have searched for all base64 calls, but found nothing suspicious.
Another way my problem is unique is that in many independent files, like JS file, the crawler found the code. But on downloading the file, there is nothing.
Additionally the code is visible in the source for only safari browser and nothing shows in firefox and chrome browsers.
Can anyone please help me on this issue? This seems unique of this type to me.
As you say searching for " id hideMeya" brings up 14,000 results. There is a good explanation of it on this website
It tells you what to look for and what to delete but it does not show how to prevent it happening again. I personal would check there is not a problem with my backup and upload that changing all the passwords for Wordpress and control panel etc.
@ralph.m Here is a link to website: http://genpie.com/. I hope this helps. But again I would like to clarify that the issue does not show in source or website in Firefox or chrome browsers. But it shows in Safari and Internet Explorer browsers. Also, it is recognized by Google webmaster Tools. So, the problem is unique of its type. Exploring it down, it seems that code does not actually exist on pages, but gets added at run time. I am not sure though. But I did all the possible checks on the files. Please suggest if you think I may have missed something. I think there must be many others with same or similar problem. But I am unable to find the same case as mine so far.
@Rubble Yes, I did already look into this URL and few more as well. But so far no help. many of the links google shows are infected links themselves, instead of discussions or issues links as well.
I just checked again, with Javascript enabled and disabled both cases, but I still do not see. Are you looking into the home page or some other page? I am sorry, if I am still missing anything.
I have checked your page source and it is still there. If you are looking for a big red button to push that will remove it I am afraid you are out of luck.
As I said the best way is to reinstall a backup and change all your passwords.
I am not looking for a Red button to clear it for me. I am a developer myself and have already cleared this kind of code from lots of websites (Not all were developed by myself So, its not a common thing with me).
I have been working on this issue since last 3-4 days and I have tried so many ways to explore the issue. But this time the issue seemed a little tricky to me. I know reinstalling is a possible solution. But before that I wanted to explore the issue further and also wanted to share the issue with community, so as to find out if there is some different thing. That may help me and many others as well.
But maybe I need to do some more work on the issue. I will need one more day. I will explore on my final options. I will share the results with community.
@TechnoBear I am really sorry. I do not still see this on my side either way. But I assume, it may be something related to caching on my side. I will check in that manner. Thanks.
I would like to update the community that I have resolved the problem I had on the site. In fact the right words are that I have removed the problem from the site. But still not able to figure out the exact reason for this. I replaced wp-admin and wp-includes folders with the latest wordpress 3.8.1 folders. This actually resolved the problem for me. But even on further exploring, I was not able to find the suspicious code inside all the files. I already downloaded full site with everything on the server, scanned it with antivirus as well and manually reviewed a lot of files, checked for suspicious base64_encode calls.
But something I concluded while reviewing the files, which raised a doubt in my mind. I am not sure I am thinking the right way or not. A few days back I upgraded site to latest WP version 3.8.1. But when I compared the full version of wp 3.8.1, it was a lot different from the one I had, in terms of code within the files. Second, suspicious thing is in wp-admin or wp-includes folder, where we normally do not upload or modify anything otherwise. Is it possible, the hack entered while upgrading the my site to wp version? I am not raising a question on WP, but just wanted to consider this thing.
I will come up with actual point of issue when I would have figured that.
You were HACKED and it’s likely that the hacker had access to your database. In other words, IMMEDIATELY look at your admin table and delete all but your own - then change your password!
“Hacked” or “cracked”? I know hacked has become the go-to word, so perhaps it doesn’t matter any more, but I gather that a breach like this is really a case of being cracked—like cracking the code etc.
I found the actual file and the problematic code within that. The file name is load.php inside wp-includes folder. Here is the URL to code that was present there and created all the problem:
<snip>
I was not able to decode my code, but here is a page that shows the code similar to what I had:
<snip>
I hope this helps someone with similar problem. But again, this seems to be some relatively new trend to me, as so we all used to have base64_encode calls on different pages of site and that was just easy to find. While, it took so many days to find this particular code.
I see my post related to further details on the problem has been deleted. Can someone please clarify, if I broke the rules of community or is there some other issue?
It wasn’t deleted, just in moderation while we checked the links. You haven’t broken any rules, but we’ve removed the links, as we really don’t want to be publicising malicious code on the forums.
Hacked or cracked? I don’t believe that anyone had to crack any passwords - especially when the op says that he hadn’t deleted the install folder (the load.php file). That’s a part of the installation directions which MUST be followed OR ANYONE can access that file to gain control over the website.
For me, “Hacked” says that someone has gained control over the website (whether using a valid file which should have been deleted or had passwords cracked). To me, that website is POISON for anyone who visits because the webmaster has no clue whether any malware still exists (not to mention access via a “extra” admin entries in the database). This op MUST delete everything and start over BUT follow the installation directions to their conclusion.
the op says that he hadn’t deleted the install folder (the load.php file). That’s a part of the installation directions which MUST be followed
do you mean load.php had to be deleted during (or after) the installation of wordpress? I don’t agree. I have followed the installation process as explained on wordpress site. I don’t see a mention that load.php or some other file needs to be deleted to complete the installation of wordpress. Though I know its true for Joomla and may be some other CMS as well.
Also, I checked in load.php and it seems to have some important code and is also required by wp-settings.php on root. So, I don’t agree, it should have been deleted. Though I will accept that there can be something weak from my side, which made it happen, yet not exactly this.
Also, to clarify, I did not find any extra users in DB table. So, I don’t confirm that admin was accessed. I am not an expert with hacking, but this is what I see.
I’ve been getting this also on a few of my websites! However, when I login to the admin panel of wordpress, I click “view-page-source” in another tab open with the website and then it’s gone!
Below is the code i copied from the source. I tried to place some “div ID” remove javascript, but still showing up!
But it’s NOT there every time I check the source code?
[noparse]div id=‘hideMeya’> Companies realize that before seeking quick confirmation of buy generic levitra <a href=“http://cashadvance7online.com/” title=“pay day loan online”>pay day loan online</a> application make ends meet sometimes. Our company that requires the information the http://www.levitra-online2.com/ <a href=“http://www10075.60viagra10.com/” title=“viagra food”>viagra food</a> check your rent payment arrangements. Below is broken into further than other reliable income and database. Using our highly is owed on with low overdraft <a href=“http://www10225.80viagra10.com/” title=“100mg viagra”>100mg viagra</a> fee so effortless it all. Basically a variety of types of the http://www.cialis.com <a href=“http://orderviagrauaonline.com/” title=“viagra vs cialis”>viagra vs cialis</a> availability of hours at risk. Stop worrying about unsecured and are becoming more apt to http://cialis-ca-online.com/ <a href=“http://viagra5online.com/” title=“http://viagra5online.com/”>http://viagra5online.com/</a> based on it simply take shopping spree. Finally you have proof that a frustrating where to buy good cheap viagara <a href=“http://www10600.b2viagra10.com/” title=“viagra 25 mg”>viagra 25 mg</a> and any kind of lenders. Companies realize that make money term commitment such upfront pay day loans <a href=“http://www10525.20viagra10.com/” title=“generic viagra online”>generic viagra online</a> amazing to extend the service. Without this way our staff in default or pay generic viagra online <a href=“http://cialis2au.com/” title=“http://cialis2au.com/”>http://cialis2au.com/</a> bills without resorting to let a bankruptcy. Thus there would not wish to payday wwwcashadvancescom.com <a href=“http://www10075.30viagra10.com/” title=“natural viagra australia”>natural viagra australia</a> leaving workers to do? Bank loans documentation like on and likelihood online cash advance <a href=“http://www10450.b2viagra10.com/” title=“viagra coupon pfizer”>viagra coupon pfizer</a> of secured to receive. Applicants have applications you additional safety online cash advance <a href=“http://www10525.90viagra10.com/” title=“viagra cheapest”>viagra cheapest</a> but it at risk. Just pouring gasoline on more you deem worthy to correct <a href=“http://www10539.70cialis10.com/” title=“treatment for erectile dysfunction”>treatment for erectile dysfunction</a> that be additional charges that come around. It often car repairs doctor bill is right viagra no prescription <a href=“http://www10616.40cialis10.com/” title=“cialis cheapest price”>cialis cheapest price</a> into payday is no hidden charges. We take hundreds and fees that levitra online without prescription <a href=“http://www10000.a1viagra10.com/” title=“pfizer viagra price”>pfizer viagra price</a> comes to needy borrowers. Or just run from work is viagra <a href=“http://buy1viagra.com” title=“viagra”>viagra</a> much you money fast? Apply today this means never miss all time to order viagara online <a href=“http://www10225.30viagra10.com/” title=“bayer viagra”>bayer viagra</a> seize the lives when financial needs. Living paycheck means that extra step is adept viagra online without prescription <a href=“http://buy1viagra.com” title=“viagra online without prescription”>viagra online without prescription</a> at managing finances back your services. Many borrowers need extra cost you up in vardenafil levitra online <a href=“http://buy2cialis.com/” title=“buy cialis”>buy cialis</a> advance or five years of service. Getting faxless hour if there who needs there really benefit viagra generic <a href=“http://www10308.x1cialis10.com/” title=“medication interactions”>medication interactions</a> that consumers view your cash will need. First fill out large cities and proof my website <a href=“http://wwxcialiscom.com/” title=“online cialis”>online cialis</a> and bad creditors up anymore. Most loan applications are ways to send fax payday loans <a href=“http://levitra-online2.com/” title=“levitra coupon”>levitra coupon</a> can recoup their cash available? Once you who live comfortably while processing of a reasonable http://cashadvancecom.com <a href=“http://www10450.a1viagra10.com/” title=“viagra facts”>viagra facts</a> time depending on friday might provide collateral. Thankfully there may mean additional benefit that have levitra online <a href=“http://www10070.10levitra10.com/” title=“levitra”>levitra</a> some bills that rarely exceed. Not fair amount then know people begin http://buy2cialis.com <a href=“http://www10385.40cialis10.com/” title=“cialis versus viagra”>cialis versus viagra</a> making enough how little security? Examples of frequently asked to impress the electronic cialis.com <a href=“http://wwwcialiscomcom.com” title=“cialis.com”>cialis.com</a> of frequently asked in luck. Let our lives that many will fluctuate greatly http://buy1viagra.com <a href=“http://buy1viagra.com” title=“http://buy1viagra.com”>http://buy1viagra.com</a> for example get your services. Use your debt that pop up valuable lunch hour if mail order viagra <a href=“http://buy-au-levitra.com/” title=“levitra”>levitra</a> your license or picking up a legal. Face it certainly are any much available www.viagra.com <a href=“http://order2auviagraonline.com/” title=“order viagras online”>order viagras online</a> is taken out more. Regardless of our simple as quickly so important buy generic levitra <a href=“http://levitra-online2.com” title=“buy generic levitra”>buy generic levitra</a> resources at the presence of funding. </div><script type=‘text/javascript’>if(document.getElementById(‘hideMeya’) != null){document.getElementById(‘hideMeya’).style.visibility = ‘hidden’;document.getElementById(‘hideMeya’).style.display = ‘none’;}</script[/noparse]
Hi Bigfootbud, and welcome to the forums. I’ve had a look at several pages on the sites you listed, and I can see the garbage in the source code on every one of them.
I’m not quite sure what you mean by that, but if your sites have been hacked, then you’ll need to do a thorough cleanup to remove the malicious stuff, rather than just try to disguise it. dklynn has written a helpful guide to recovering from an attack, and if you need any more help, just ask.
So, its not a common thing with me).