Undetectable URL injected Wordpress Site, Can somebody help?

flush27 · Mar 31, 2021

Good day dear great members of Babiato.
I have a WordPress magazine blog and somehow in the past it was infected. I did almost anything I'm capable of but no way to clean those links from the google search console. I scanned the entire site manytimes, I'm using Wordfence and it doesn't give any positive sign.
I tried to remove URL's by the key string and it worked somehow in the past. However, a few days ago the URL's poped up again.

as you can see --.com/site/page.php?c108c6= embedded somehow in the root but I can't not detect where it is. I would greatly appreciate if someone can give an advice.
Thanks in advance.

tuton012 · Mar 31, 2021

did you install any plugin to the website before it started? how long has this been like this on your website?

flush27 · Mar 31, 2021

tuton012 said:
did you install any plugin to the website before it started? how long has this been like this on your website?

Thanks for your response. Well, months ago that happened and I found some malicious base64 codes after scanning the site and cleaned them. A long time later I noticed the links from G search console. I searched for the links in PHPMyAdmin but couldn't find any of them in the database. No scanner can detect them. Even though I report the links to google for deindexing, they keep existing. Search console notification says, 'Indexed, though blocked by robots.txt'. I don't know how to get around this problem.

NextMan · Mar 31, 2021

This page on live or 404? Any url?

flush27 · Mar 31, 2021

NextMan said:
This page on live or 404? Any url?

When I head over to the URL its 404. But it exists in Google search console index page

NextMan · Mar 31, 2021

Please use screamingfrog or etc. for 404 or live...

It may be a scheduled program. Urls are not always active. They can be active for a short time and then become 404 ... You need to check all your plugin and theme codes ...

slavstudio · Mar 31, 2021

This is well known issue with nulled plugins and themes, where some of sharers inject piece of code that ads links to your website and redirects them to specific links. I suggest you follow this https://www.wpaos.com/2020/11/13/how-to-fix-wordpress-hacked-url-injection/

Spam Links Injection in WordPress Site - Removal Guide [2023]

secure.wphackedhelp.com

Also, happened to me once. Code is added inside one of the theme/plugin .php file, most likely config files or footer/header.

I suggest you manually check your theme/plugins files, even better, disable one by one plugin and activate one by one, if you see that issue is not present anymore, you will know what plugin is the problem. Disable all plugins and if issue is still the same, your theme is most likely infected.

For cleaning links from Google Search console, you can send request to Google via Search console to deindex existing links.

phaze1G · Mar 31, 2021

shared hosting?

flush27 · Mar 31, 2021

phaze1G said:
shared hosting?

Yes its a shared hosting.

flush27 · Mar 31, 2021

slavstudio said:
This is well known issue with nulled plugins and themes, where some of sharers inject piece of code that ads links to your website and redirects them to specific links. I suggest you follow this https://www.wpaos.com/2020/11/13/how-to-fix-wordpress-hacked-url-injection/

Spam Links Injection in WordPress Site - Removal Guide [2023]

secure.wphackedhelp.com

Also, happened to me once. Code is added inside one of the theme/plugin .php file, most likely config files or footer/header.

I suggest you manually check your theme/plugins files, even better, disable one by one plugin and activate one by one, if you see that issue is not present anymore, you will know what plugin is the problem. Disable all plugins and if issue is still the same, your theme is most likely infected.

For cleaning links from Google Search console, you can send request to Google via Search console to deindex existing links.

I used to use nulled plugins before but I don't have any nulled one anymore. Also, wordfence scan can not detect any malicious code either.

slavstudio · Mar 31, 2021

flush27 said:
I used to use nulled plugins before but I don't have any nulled one anymore. Also, wordfence scan can not detect any malicious code either.

It can't detect it because it is not malicious code, it is advert code.
Advert code can't be treated as malicious code because maybe user added it for ad ravenue. That is why wordfence doesn't show it.

slavstudio · Mar 31, 2021

It is most probably one link inserted into code that points to an ad server

flush27 · Mar 31, 2021

slavstudio said:
It is most probably one link inserted into code that points to an ad server

Is there a way of finding it or replacing with the original files?

slavstudio · Mar 31, 2021

flush27 said:
Is there a way of finding it or replacing with the original files?

Do you use nulled template?

flush27 · Mar 31, 2021

slavstudio said:
Do you use nulled template?

I'm using Jnews at the moment, I downlaaded it from envato elements but after my subscription ended, I downloaded updated one from Babiato. So the theme is from Babiato, the rest of the plugins are from original repisatory.

HexGloss · Mar 31, 2021

have you tried a logger or firewall for outgoing connections??
i use "snitch" when using nulled plugins, works like a charm

GitHub - pluginkollektiv/snitch: Network monitor for WordPress. Connection overview for monitoring and controlling outgoing data traffic.

Network monitor for WordPress. Connection overview for monitoring and controlling outgoing data traffic. - pluginkollektiv/snitch

github.com

also, Core Control. https://github.com/dd32/core-control
Hope it works for you.

johnc · Mar 31, 2021

Look into functions.php of theme and child theme (if any), most probably the malware codes are inserted here.
Look here anything strange or any strange URL.

TylerDurden · Mar 31, 2021

HexGloss said:
have you tried a logger or firewall for outgoing connections??
i use "snitch" when using nulled plugins, works like a charm

GitHub - pluginkollektiv/snitch: Network monitor for WordPress. Connection overview for monitoring and controlling outgoing data traffic.

Network monitor for WordPress. Connection overview for monitoring and controlling outgoing data traffic. - pluginkollektiv/snitch

github.com

also, Core Control. https://github.com/dd32/core-control
Hope it works for you.

Thanks but are these still working with latest wordpress?

HexGloss · Apr 1, 2021

TylerDurden said:
Thanks but are these still working with latest wordpress?

Yes they are, im currently using it.

xeric · Apr 8, 2021

To search across all your theme and plugin files, I suggest downloading them all via FTP then use Notepad++ to Find text in folder which will scan every file in the folder for the text you enter.

Undetectable URL injected Wordpress Site, Can somebody help?

Welcome to Original Babiato! All Resource are Free and No downloading Limit.. Join Our Official Telegram Channel For updates Bypass All the resource restrictions/Password/Key? Read here! Read Before submitting Resource Read here!Support Our Work By Donating Click here!

Join Our Official Telegram Channel For updates Bypass All the resource restrictions/Password/Key? Read here! Read Before submitting Resource Read here!

Support Our Work By Donating Click here!

Member

Strive for progress, not perfection

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

Member

New member

Well-known member

New member

New member

Member

Similar threads

Forum statistics

Share this page

Welcome to Original Babiato! All Resource are Free and No downloading Limit..
Join Our Official Telegram Channel For updates
Bypass All the resource restrictions/Password/Key? Read here!
Read Before submitting Resource Read here!
Support Our Work By Donating Click here!

Join Our Official Telegram Channel For updates
Bypass All the resource restrictions/Password/Key? Read here!
Read Before submitting Resource Read here!