Message from Lynn this AM: As best I could determine last night, the spam loads aren’t meant to display on a monitor, they’re meant to fool search engine spiders into believing that legitimate sites are linking to the spammer’s sites, thereby legitimatizing the spam sites for SEO. It looks like you’ve been hit by a zombie spammer….none of the injected links are valid and appear to date back to 2008 or earlier when Harvard University’s servers were hacked.
Which brings us to the one I totally forgot to thank last night: Lynn. She was on it like a hawk when I emailed her yesterday.
I’d let the matter slide, intending to attack it with a fresh brain today. I’d figured, from the form it took, that is was nothing particularly dangerous to anyone and the info I was getting/finding all pointed to code that was harmless to visitors and designed to affect search engines. It’s the sort of thing that can get a site “blackballed”by search engines, so I wanted to take care of it, but I also wanted some sleep. (Nice thing, sleep.)
But a late-night email from Lynn jerked my brain awake and my default from html-speak into php-speak, and I knew I wouldn’t sleep until I found the answer to the question.
I went searching the php files most likely to have been “infected.” She said it usually manifested in the footer.php, and I did check that first. Nothing suspicious there, but then I realized…footer? Why the footer? Of course…these pages are created on the fly. It had to be something common to every page, not just the posting page. The next file common to all pages and posts is the header. I checked it and there it was, bold as brass.
So, no need for you visitors to worry, and no need for me to worry.
All is well!
Just FYI: I took a look at the page source (right-click -> View Source) for a couple of pages on this blog, and I still see the array (look for “s = Array” in the page source to locate this stuff) and the injected links in a fresh view of the page source. You may want to have another look at your admin password, admin cookie, and have a look at the security and permissions on your nested folders. See if you have any unintended sharing vulnerabilities. Also, I’d suggest a search for “wordpress hidden links injection” for some interesting approaches that people have taken to eliminating the problem. Apparently, there are ways to clear the issue out entirely and permanently patch the holes made when the hack occurred. Good Luck!!
Thanks! I just realized the problem was back and went into the header file a bit more carefully. There was some more code I hadn’t seen. Don’t know if this will solve it, but at least it was one more step. The rest of the code, at least in this file, appears to be legit. Who knows what else is hidden in other files. Grrrr…. I’ll for certain go check the search you suggest.
Gad, this is annoying.
Yikes! So glad you were able to find and fix things!
And so very sorry to hear about your friend. (hugs) to you, CJ, and OSG.