Erroneneous text advertising spammy website appearing when view webpage but not anywhere in Wordpress

wordpress

#1

We have a bizarre issue with the homepage of our WordPress website. In one paragraph it has jumbled up letters in the display.

A couple of lines in the second paragraph are showing superimposed on top of one another.

When we highlighted the text to copy and paste, see below, it seems to be all there but not visually. The spammy wording highlighted in bold (see below) is scary!

I’ve checked the website copy and code and the text advertising GetStrattera, which is hyperlinked to the GetStrattera website (which is a dodgy pharmaceuticals website), doesn’t appear anywhere in WordPress or via Control Panel searches.

Indeed, the logs show that the text on the homepage hasn’t been changed for three years.

There has been no hacks into WordPress. Nobody has logged in except me.

The spammy text advertising GetStrattera only appears on selected computers. Can you see it on yours?

How can we fix this issue please?

Extract from website:

“Welcome to Bromptons Solicitors
When you are faced with a legal issue we are within easy reach and have the necessary expertise and experience to help you resolve it promptly and cost-effectively by listening to you and understanding your concerns and queries.
I have been using this for three years and GetStrattera helps me. I paid more attention to school. I did not have any side effects, but all drugs can have different consequences for other people.
Bromptons Solicitors is a commercial and business law practice with expertise in property, litigation, landlord and tenant, wills and probate and other fields. We are based in Kensington with a broad client base in the United Kingdom and internationally.”

Please see screenshot here showing the spam text advertising the pharmaceuticals website appearing on selected computers.


#2

If it is only selected computer it sounds like they could be infected; I do not see it in latest versions of Firefox or Edge.


#3

Out of interest you have some errors on your index page:

Using //@ to indicate sourceMappingURL pragmas is deprecated. Use //# instead
[Learn More]
jquery.min.js:1
Use of getPreventDefault() is deprecated. Use defaultPrevented instead.
jquery.min.js:5:17101
Google Maps API warning: NoApiKeys https://developers.google.com/maps/documentation/javascript/error-messages#no-api-keys
util.js:246:12
Google Maps API warning: SensorNotRequired https://developers.google.com/maps/documentation/javascript/error-messages#sensor-not-required
util.js:246:12
Source map error: request failed with status 404
Resource URL: http://www.bromptons.net/wp-content/themes/bromptons/js/jquery.min.js?ver=1.9.1
Source Map URL: jquery.min.map


#4

Thank you so much for your very helpful responses Rubble!

Does anybody else see the spammer's text and have an idea what might be causing it other than perhaps a trojan localised on specific computers? Could it anything in the code or the server?

Rubble, it's very kind of you to highlight the coding issues. The Google Maps appears perfectly, so does it matter if we get an API key from them or not etc.?


#5

Glad to be of help

The key is free so there is no harm in getting one. It is nice not to have warnings/errors even if they do not effect the site :wink:
With Google maps you needed a key; then didn't need a key and now you do need a key again!

I can not see the spam text on any of your pages. The error/warnings above come up on them all as the scripts etc. are built into your header on every page. If you were not using Wordpress you could setup some php to only display the Google map script on the contacts page.


#6

I can’t see anything amiss on iOS Safari


#7

It sounds as if your Wordpress installation or at least your hosting account has been compromised, I've seen this type of thing before.

If I disable CSS it shows for me, in several DIV elements with specific ID's (eg id="bromptons-9f2o" ) which appear to be injected by probably a rogue or compromised script.

It can be very hard to pinpoint the source but things to try:

  • try looking to see if any core files have been modified recently
  • check for scripts that shouldn't be there
  • check your database (do a search for 9f20 to see if anything is found)

Ideally you need to restore the site from a backup, update WP and all your plugins, change your WP logins, your hosting logins and DB password.

If the problem happens again it may be an insecure WP plugin or your server just isn't secure enough.


#8

Thanks a million bluedreamer! Massively appreciate your help.

That is terrifying to discover, as there are so many sources from which the compromise could be occuring.

Working on it straight away.


#9

I wonder why it only comes up on some browser and not others - age?


#10

Maybe some browsers etc. don't show the text added by the DIV elements as a security measure?

It's very clever how the infiltration only appears when CSS is turned off. See image here of the code which shows the text added via the hack.

Problem is I have no idea how to fix it as so many files, scripts etc. that could be causing it?

All the plugins and Wordpress are already up-to-date. Have had various security plugins such as Securi and Wordfence installed for years.


#11

The best course of action may be to backup the database, delete the content of your root folder, and reinstall from scratch. That should safely remove any files that have infiltrated things.


#12

Thanks for your fabulous advice.

We've deleted and restored all the files and the database to versions from several months ago, but the spam text is still there!

Any ideas what we can do please?


#13

If you temporarily deactivate all plugins, still there?


#14

Thanks. Nothing appears on the webpage if I deactivate the plugins folder.

I'll have to selectively deactivate the plugins one by one and then test.


#15

Have you got any non-WP files on your server? If you have it's possible one of those may have been compromised.


#16

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.