I have been receiving user complaints that when they try to access my Website, beyond the homepage, they are being greeted with a Purchase Viagra Online page and message, as seen here: http://img710.imageshack.us/img710/9292/40bd.jpg
Now I have received this complaint before from people that tried to access the mobile version of my Website, but I have since disabled that in WordPress as there were a lot of associated problems with WP-SuperCache and my homepage displaying as a mobile site a lot of the time. However, this is the first time I’ve received the complaint when people are trying to access the site via the Web, and it’s pretty concerning.
I’ve disabled EasySMS, removed cache… done a full sweep of my own machine for spyware etc. and to no avail. I have no idea what to do.
I recently removed the Right Media platform from my Website after realising some of their associated affiliates were serving malware. Right now here is what I use:
TribalFusion banners
ValueClickMedia banners and pop under
AdBrite Full page ad
AdsDaq banners Advertising.com banners
Security is tweaked high on all of them. I just don’t have an idea, and I imagine I’m losing a lot of traffic because of it. It started from the mobile version and has now spread, so I have no idea if that information will help!
I don’t see it, but there seems to be a higher than usual number of WordPress sites being hacked the past two or three weeks, and almost always WP-SuperCache is one of the plugins installed. I’m beginning to suspect there’s a major flaw in that plugin that people are exploiting.
AdBrite has been a problem for some people in the past, possibly because AdBrite fails to catch and remove bad ads in their system. You can see in this report that they “have functioned as an intermediary” recently. Their report usually seems to say that. When a report says that, it can indicate bad ads: http://www.google.com/safebrowsing/diagnostic?site=adbrite.com.
If that’s not the cause, look through your site for ways that it could be redirecting visitors. You can use the Firefox “Live HTTP Headers” add-on, to watch what happens as you access your site, to see if it redirects. If it does, see the “How to remove…” article in my signature, sections #13, 14, and 15. A JavaScript redirect (#14) can also occur as the result of a page that was loaded by an iframe; in that case, you won’t see the “window.location” code in your site; what you look for are malicious iframes that get their content from some site other than yours.
If you have trouble reproducing the redirect, try going to your pages from a Google search result. Sometimes these redirects only occur when the visitor came from a search engine.
Thanks for the help guys. Figured out that my index.php in the root directory had some how been compromised and linked to a txt file in my directory with these viagra ads. Worryingly, the index file hadn’t been modified since July 2009 so it must have been happening since then!
