your website is compromised

[Yakuza Racer]

http://www.vagtechnik.co.za/
view-source:http://www.vagtechnik.co.za/ <- copypasta in your browser

Top left corner: http://co09778.wix.com/bet365 <- link in which spammers uses to funnel traffic through.

open the website: top right corner is the link

Update the CMS to the latest and i think one of your plugins might be the hole.
Alternatively check users and go in editor and remove the code.

cheers

[Sinbad]

Have mailed this to them as well. Thanks for pointing it out

[Rabbit222]

Thanks guys

[sugen]

Thanks gents looks like it was a simple injection attack. We have cleaned it up, can you please re-visit our site and let us know if you pick anything else up.

Once again thanks for the assistance

[Yakuza Racer]

Thanks gents looks like it was a simple injection attack. We have cleaned it up, can you please re-visit our site and let us know if you pick anything else up.

Once again thanks for the assistance

i can still see it there...yes i have cleared my cache [NooB]

others might confirm...

[JuST170]

Thanks gents looks like it was a simple injection attack. We have cleaned it up, can you please re-visit our site and let us know if you pick anything else up.

Once again thanks for the assistance

i can still see it there...yes i have cleared my cache [NooB]

others might confirm...

Confirmed

[Yakuza Racer]

its in your theme....

go into editor and go to header.php - control + f and find the code and delete it
also check in the other files in the editor (located on the APPEARANCE dropdown)

edit:

this code: <p align="left"><a href="http://co09778.wix.com/bet365">http://c ... 365</a></p>

[Black&White]

I'm in here and it feels like aliens are trying to contact me (noob I)

[Stompie]

I'm in here and it feels like aliens are trying to contact me (noob I)

+1

[Yakuza Racer]

im out soon, if you need help shoot me a PM....

[sugen]

nothing much changed but I don't see it anymore checked myself now.

[Sparkz0629]

Nope. definitely still there. top left corner.

[Yakuza Racer]

nothing much changed but I don't see it anymore checked myself now.

its in your theme....

go into editor and go to header.php - control + f and find the code and delete it
also check in the other files in the editor (located on the APPEARANCE dropdown)

edit:

this code: <p align="left"><a href="http://co09778.wix.com/bet365">http://c ... 365</a></p>

[MeanTdi]

Checked from another device - still there.

[NeoSA]

It's in your CSS stylesheet file gents:

innerHTML: "<a href="http://co09778.wix.com/bet365">http://c ... /bet365</a>"
innerText: "http://co09778.wix.com/bet365"
isContentEditable: false

to be more specific, it's linked to <p></p>

[Yakuza Racer]

still not resolved and is now showing another link....

[Rabbit222]

I have asked Sugen to contact the dude thats busy with our site. Hopefully that will be fixed soon.

[markieee7]

The link is caused by a malicious WordPress plugin downloaded directly from wordpress.org. The attacker just keeps creating new plugins after they get banned. However, if you use any of the following plugins;

seo-cheese
g-translate (note the hyphen - other versions are fine)
seo-interlinking
return-to-top
google-maps-by-daniel-martyn

I would strongly recommend they should be removed immediately as they are all operated by the same hacker and insert these dodgy links to the top of your page. If not - I would love to know which plugins you have so I can investigate and report the malicious plugin to wordpress.org.

Useful reading for information about the same attack

http://wordpress.org/support/topic/strange-link-to-casino-online-appeared-at-the-top-of-my-blog
http://wordpress.org/support/topic/random-casino-link-has-appeared-on-my-wordpress-site
http://www.techyduck.com/web-design-developments/wordpress-site-hacked-showing-httponline-casino-blog-ca-in-header/

Malicious code (this is normally found in plugin directory -> setup.php or install.php)

Code: Select all

<?php
if (is_user_logged_in()) { $loggedin = 'yes'; } else { $loggedin = 'no'; }
if ($loggedin == 'no') {
$ip = $_SERVER['REMOTE_ADDR'];
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/seo-cheese/created.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme  = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
?>
<p align="center"><a href="http://online-casino.blog.ca">http://online-casino.blog.ca</a></p>
<?php //
} else {
echo '';
}}
?>

Sites that are linked to the same hacker

The following sites are linked to the same hacker and listing them here will hopefully help other people who have the same issue.

bet.sitonline.it/
co09778.wix.com/
honline-casino.en.softonic.com/
online-casino.blog.ca/
online-casino.us.org/
onlinecasino-games.com/online-roulette/
onlinecasino-games.com/
http://www.bettingwebs.co.uk/
http://www.concierto92uno.com/
http://www.games-casino.us/
http://www.happy-wheels.me/
http://www.templatewordpress.org/bet365-uk/
http://www.tumeplaiscoco.com/
http://www.bingo-sites.org.uk
skybet.webeden.co.uk
betfree.oneminutesite.it
http://bet365.bestonlinecasino.pw
bonus.uk.net

Other information about this hack

The trick works well because as you have found, the link itself is not visible to the site owner as firstly, it doesn't show if you are logged in to your own site, and secondly it also keeps a log of all past IP addresses that successfully logged in before and hides the link (read source code above for details on this).

Hack prevention

Be very cautious of new plugins on wordpress.org as it seems they are not adequately checked (perhaps initially but the plugin creator can easily modify the code with new versions). Trust only plugins that have more popularity and read though the comments and ratings.

If you think you have this issue on your site, a very quick way to find out is to try running you site in safe mode to temporarily disable plugins (just add '?safe_mode=1' to your URL while logged in).

[MeanTdi]

Give this man a Bells!

[dood786]

Its a spam bot by the looks of it

[Yakuza Racer]

bump...

site is still in its dinges