Some days ago we had a problem with an unwanted „Banner“ on our WordPress-Blog – promoting slotmachines.us.org. It’s quite easy to find and get rid of the problem. But we did not find a lot of solutions online (mostly related to the Lightbox-PlugIn).
Find the source of the hack…
- Search with Linux, MacOS X or BSD:
We had a look in all files of our WordPress-Installation with „grep“ (It’s a nice Linux command-line tool – http://linux.about.com/od/commands/l/blcmdl1_grep.htm):
grep slot -r DIRECTORY/*
This command looks into all files for the string „slot“.
- Search with Windows and „Notepad ++“:
In our case the SocialMedia Share-Button PlugIn was the injection/hack !
…and get rid of it
We just deleted the PlugIn – we don’t want such a messy PlugIn.
Looking into two file in the PlugIn-directory is quite interesting:
- widget.php contains the Link/Code
- welcome.txt seems to collect the IPs of the LogIn-Users/Admins