Random text ad appeared on my website.

[19paradox91]

Not sure where to put this, so I figured this would be a good place to start.

 

First:

• I host a website for a client through iPage.com called Authentic Log Houses at authenticloghouses.com.
• This website uses a wordpress platform.

 

Anyway, on with the issue. My client called me one day and said a text ad showed up on his navigation menu of the website selling viagra! Immediately the worst case scenario went through my mind. I told him I'd check it out as soon as I could. I got home and checked his website using Chrome (my preferred browser) only to find it exactly as it should be (with no ad). I assumed at that point that he was probably the only one that could see the link and was probably just dealing with a virus or malware that was affecting his browser.

 

I told him he should run an antivirus or malware removal program and see if he still saw the ad. He did, but found nothing. He then called his brother and asked him to view his website to see if the ad appeared. It did. I checked again on my computer, still nothing. Finally I decided to try a different browser than Chrome and found that Firefox, IE, Safari, and Opera ALL show the ad!

 

I still don't know why every browser except Chrome shows the ad, but now that I could duplicate the issue, I eliminated the possibility of a virus or malware since multiple computers showed the same ad (which changes from time to time). I viewed the source code to see where it may have been coming from and it simply showed an anchor tag with a link to a random website in the main nav menu outside the un-ordered list that the website uses, however, I cannot find that link in the source files.

 

I spoke with iPage's technical support to see if they had any ideas and they said to update all my plugins and install the "Link Removal Tool" and enter the linked url. They said this tool has helped many people and works really well. Nothing worked for me. I even tried their "Pro" version (which is still free o_O) and it seemed to be nothing but spam, so now I don't trust them in the least. 

 

The current text ad can be view on the website in green in the top navigation bar saying "Payday loans direct lender no teletrack" and links to a 404 at worldwiderssfeedcompendium.com.

 

I'm currently out of ideas! Any help would be awesome. I've never seen this before! I can upload any files if necessary.

 

Thanks in advance,

Kevin

[Jacques1]

This is much more serious than the annoying little link. Somebody was able to inject code into your site. Who says it's only a link? They might have injected actual malware as well, or maybe they're planning to do so in the next few days.

 

This is a major security breach, and there's something very wrong with your Wordpress installation or your server.

• Change all passwords of your SSH/FTP accounts, admin accounts, database users etc.
• Check the sanity of your server. Any FTP accounts that shouldn't be there? Files you didn't upload?
• Make sure your server is configured correctly (file permissions, PHP settings etc.).
• Update Wordpress as well as all plugins. Ideally, you'd backup your current content, start with a fresh installation and then carefully restore your content piece by piece. If you can't make a fresh start, download your current content (the files and the database) and analyze everything until you've found the link as well as any other code injection.
• When everything is done, change all passwords again.

Yes, this will be painful and take a lot of time. But again, this is a very serious problem. Personally, I'd probably shut down the site until I know exactly what the hell is happening on my server.

[19paradox91]

Thanks Jaques1 for your response.

 

I was afraid that might be necessary. Thankfully, this site will not require as much work as some, but it's still a big job nonetheless. 

 

Thanks again,

Kevin