I have a wordpress website, along with some of the plugins. I use wordpress-seo plugin for the SEO purposes.
While in google webmaster tools, I found issue with my sitemap. On exploring further, I found in the source some code gets added to the bottom of the my sitemap, which starts with a div having id hideMeya.
Then adds few links and a script. I have googled for the problem and found some idea of the problem. I have downloaded all the files. But I don’t see a mention of this code somewhere. I have searched for all base64 calls, but found nothing suspicious.
Another way my problem is unique is that in many independent files, like JS file, the crawler found the code. But on downloading the file, there is nothing.
Additionally the code is visible in the source for only safari browser and nothing shows in firefox and chrome browsers.
Can anyone please help me on this issue? This seems unique of this type to me.
As you say searching for " id hideMeya" brings up 14,000 results. There is a good explanation of it on this website
It tells you what to look for and what to delete but it does not show how to prevent it happening again. I personal would check there is not a problem with my backup and upload that changing all the passwords for Wordpress and control panel etc.
@ralph.m Here is a link to website: http://genpie.com/. I hope this helps. But again I would like to clarify that the issue does not show in source or website in Firefox or chrome browsers. But it shows in Safari and Internet Explorer browsers. Also, it is recognized by Google webmaster Tools. So, the problem is unique of its type. Exploring it down, it seems that code does not actually exist on pages, but gets added at run time. I am not sure though. But I did all the possible checks on the files. Please suggest if you think I may have missed something. I think there must be many others with same or similar problem. But I am unable to find the same case as mine so far.
@Rubble Yes, I did already look into this URL and few more as well. But so far no help. many of the links google shows are infected links themselves, instead of discussions or issues links as well.
I am not looking for a Red button to clear it for me. I am a developer myself and have already cleared this kind of code from lots of websites (Not all were developed by myself So, its not a common thing with me).
I have been working on this issue since last 3-4 days and I have tried so many ways to explore the issue. But this time the issue seemed a little tricky to me. I know reinstalling is a possible solution. But before that I wanted to explore the issue further and also wanted to share the issue with community, so as to find out if there is some different thing. That may help me and many others as well.
But maybe I need to do some more work on the issue. I will need one more day. I will explore on my final options. I will share the results with community.
@TechnoBear I am really sorry. I do not still see this on my side either way. But I assume, it may be something related to caching on my side. I will check in that manner. Thanks.
I would like to update the community that I have resolved the problem I had on the site. In fact the right words are that I have removed the problem from the site. But still not able to figure out the exact reason for this. I replaced wp-admin and wp-includes folders with the latest wordpress 3.8.1 folders. This actually resolved the problem for me. But even on further exploring, I was not able to find the suspicious code inside all the files. I already downloaded full site with everything on the server, scanned it with antivirus as well and manually reviewed a lot of files, checked for suspicious base64_encode calls.
But something I concluded while reviewing the files, which raised a doubt in my mind. I am not sure I am thinking the right way or not. A few days back I upgraded site to latest WP version 3.8.1. But when I compared the full version of wp 3.8.1, it was a lot different from the one I had, in terms of code within the files. Second, suspicious thing is in wp-admin or wp-includes folder, where we normally do not upload or modify anything otherwise. Is it possible, the hack entered while upgrading the my site to wp version? I am not raising a question on WP, but just wanted to consider this thing.
I will come up with actual point of issue when I would have figured that.
“Hacked” or “cracked”? I know hacked has become the go-to word, so perhaps it doesn’t matter any more, but I gather that a breach like this is really a case of being cracked—like cracking the code etc.
I found the actual file and the problematic code within that. The file name is load.php inside wp-includes folder. Here is the URL to code that was present there and created all the problem:
I was not able to decode my code, but here is a page that shows the code similar to what I had:
I hope this helps someone with similar problem. But again, this seems to be some relatively new trend to me, as so we all used to have base64_encode calls on different pages of site and that was just easy to find. While, it took so many days to find this particular code.
Hacked or cracked? I don’t believe that anyone had to crack any passwords - especially when the op says that he hadn’t deleted the install folder (the load.php file). That’s a part of the installation directions which MUST be followed OR ANYONE can access that file to gain control over the website.
For me, “Hacked” says that someone has gained control over the website (whether using a valid file which should have been deleted or had passwords cracked). To me, that website is POISON for anyone who visits because the webmaster has no clue whether any malware still exists (not to mention access via a “extra” admin entries in the database). This op MUST delete everything and start over BUT follow the installation directions to their conclusion.
the op says that he hadn’t deleted the install folder (the load.php file). That’s a part of the installation directions which MUST be followed
do you mean load.php had to be deleted during (or after) the installation of wordpress? I don’t agree. I have followed the installation process as explained on wordpress site. I don’t see a mention that load.php or some other file needs to be deleted to complete the installation of wordpress. Though I know its true for Joomla and may be some other CMS as well.
Also, I checked in load.php and it seems to have some important code and is also required by wp-settings.php on root. So, I don’t agree, it should have been deleted. Though I will accept that there can be something weak from my side, which made it happen, yet not exactly this.
Also, to clarify, I did not find any extra users in DB table. So, I don’t confirm that admin was accessed. I am not an expert with hacking, but this is what I see.
I’ve been getting this also on a few of my websites! However, when I login to the admin panel of wordpress, I click “view-page-source” in another tab open with the website and then it’s gone!
Hi Bigfootbud, and welcome to the forums. I’ve had a look at several pages on the sites you listed, and I can see the garbage in the source code on every one of them.
I’m not quite sure what you mean by that, but if your sites have been hacked, then you’ll need to do a thorough cleanup to remove the malicious stuff, rather than just try to disguise it. dklynn has written a helpful guide to recovering from an attack, and if you need any more help, just ask.