Wordpress Themes - WP Forum at BFA
Click here to register or to donate.
Auto self-registration is not available here - far too many spammers. This forum has many, many backlinks and because of that there is an intense desire among spammers to drop their links here.

Wordpress Themes - WP Forum at BFA » WordPress Themes » Atahualpa 3 Wordpress theme » Header configuration & styling »

How to eliminate a nasty infection from Atahualpa?


  #1  
Old Jun 13, 2015, 08:21 PM
markzip
 
60 posts · Jan 2010
http://mayapplepress.com/
WP 4.2.2
Atahualpa 3.7.7

There is a persistent nasty on all pages and posts on the site:
It happens just after the end of the </head> tag and it looks like this:
Code:
...</head>
<body class="single single-post postid-3408 single-format-standard">
<div id="wrapper">
<div style="position:absolute; top:-850px;" id="dovanta"> <a href="http://mayapplepress.com/status/doxycycline.php" title="buy doxycycline online">Buy doxycycline online</a> always better to consult</div>
<div id="container">
<table id.....
Note that the example above is for context and this contains a specific postid. This number changes depending on the page or post, of course.

So the problematic code looks like this:
Code:
<div style="position:absolute; top:-850px;" id="dovanta"> <a href="http://mayapplepress.com/status/doxycycline.php" title="buy doxycycline online">Buy doxycycline online</a> always better to consult</div>
This code survives shutting off all plugins. It does not survive switching to the default WP 2015 theme.

Thus, it must be part of the Athualpa theme, no?

Thoughts?

TIA
  #2  
Old Jun 14, 2015, 05:43 AM
juggledad's Avatar
juggledad
 
23,672 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
Are you actually on version 3.7.7??? the current version of Atahualpa is 3.7.27
Version 3.7.7 was released back in 2012!
I would say you need to do an upgrade - Do a backup of your site first.

I know of no infections caused via the theme (not that I'm saying it is impossible) I'm actually amazed that Atahualpa 3.7.7 is running on WP 4.2.2

You could have gotten hacked in any number of ways and it could even be in the WP code at this point. You need to start going thru the steps to fix your hacked site.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support

Last edited by juggledad; Jun 14, 2015 at 05:47 AM.
  #3  
Old Jun 14, 2015, 05:19 PM
markzip
 
60 posts · Jan 2010
While I know that I should do an update of Atahualpa, the install is somewhat modified and I would rather avoid a manual update. But I will do it.

I assume that the infection is not in WP or any plugins, as it does not survive turning off Atahualpa and all plugins.
  #4  
Old Jun 14, 2015, 07:03 PM
juggledad's Avatar
juggledad
 
23,672 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
You may just not be seeing it - ie it may be hidden and will show art some time.

As it is, go thru each of the Atahualpa option pages and hit the green save button to clear up some of the warning messages you are now seeing. They are from new options that need to be initialized.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support

Last edited by juggledad; Jun 14, 2015 at 07:05 PM.
  #5  
Old Jun 14, 2015, 07:47 PM
cefiar
 
24 posts · Jun 2014
Melbourne, Australia
What you may have is an infection that scans through a sites PHP and replaces certain functions with it's own. This means you've been hacked in some way (eg: a wordpress vulnerability, password exposure, brute force password hacks, etc). They tend to do this in a single "once off" pass when they first penetrate your site.

A lot of these either happen to target basic code that is used in a lot of WP themes, or they infect WP themes by inserting code near the start of the main function file for each theme. They may only target the running theme, or they might target all installed themes.

As for why you don't see it in the 2015 theme: If most of the code has been inserted into all themes at the time of the intrusion (eg: Atahualpa), and then you upgraded the built in theme 2015, this hack/change may have been wiped.

As for why you should not trust simply changing the theme to fix it: If extra code has been left on the system elsewhere that checks if you've attempted to clean the infection (but not fully removed it), then you can get re-infected. This could be as simple as a hidden extra PHP script called by remote (once they've noticed) or via a WP Cron job that fires on some longer time scale, or it could be something that is stored in the DB and triggered by other means (eg: SQL injection).

Once you have any sort of foreign code running on your site, you really need to consider everything on the site as potentially hazardous. If I was you, I would extract just the content of the site (and inspect the recovered content before restoring it), and redo the rest from scratch. This includes reviewing users and any method of access for the site.

Basically: Once a system has been pwned, you really need to redo everything from scratch, check everything at least twice to make sure it's clean, and all passwords should also be changed (never use the old ones again).

(moderator note: and by changing all passwords - wordpress's, mysql, cPanel, your hosting account, ftp, your own computers (could be a key logger on your computer) and anyone eleses computer with admin access to any of those areas)

Last edited by juggledad; Jun 15, 2015 at 03:14 AM.
  #6  
Old Jun 15, 2015, 11:55 AM
markzip
 
60 posts · Jan 2010
Welp. I've had a good clean and scrub and AFAIK I'm now disinfected.

The only real hassle was the installation forgetting the placement of widgets in the sidebars and the content of text widgets. I was a little surprised that the backups did not appear to contain that stuff. I didn't spend much time pursuing it and just chose to reconstruct from scratch.

Took me a little while to figure out the new Ata images regime, but it'll be better in the long-run.

It would be great to know how they got in, as I'm pretty careful about staying up to date (with the exception of theme updates, apparently). I don't suppose I'll ever know.

Thanks as always for the help and advice.

Zip

Bookmarks

Tags
dovanta, doxycycline, hacked, infection

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Eliminate one of the Home page tabs Cathy Atahualpa 3 Wordpress theme 5 Mar 2, 2013 04:39 PM
How to eliminate categories from theme entirely elviejito Atahualpa 3 Wordpress theme 2 Dec 28, 2011 11:49 AM
[SOLVED] How Do I Eliminate The Bottom Scroll Bar? Mogul Atahualpa 3 Wordpress theme 1 Nov 17, 2011 02:22 PM
How to eliminate space between posts? mgofootball Post-Kicker, -Byline & -Footer 1 Jul 18, 2009 09:46 PM
eliminate one sidebar? measure2x Sidebars & Widgets 5 May 11, 2009 04:33 PM


All times are GMT -6. The time now is 11:59 AM.


Powered by vBulletin® Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.