Erroneneous spam text appearing when view webpage but not in WordPress - WordPress forum at WebmasterWorld - WebmasterWorld

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

Erroneneous spam text appearing when view webpage but not in WordPress

Text is advertising dodgy pharmaceuticals website. Doesn't exist in code

1Lit

9:36 pm on Nov 24, 2017 (gmt 0)

10+ Year Member

We have a bizarre issue with the homepage of our WordPress website. In one paragraph it has jumbled up letters in the display.

A couple of lines in the second paragraph are showing superimposed on top of one another.

When we highlighted the text to copy and paste, see below, it seems to be all there but not visually. The spammy wording highlighted in bold (see below) is scary!

I’ve checked the website copy and code and the text advertising GetStrattera, which is hyperlinked to the GetStrattera website (which is a dodgy pharmaceuticals website), doesn’t appear anywhere in WordPress or via Control Panel searches.

Indeed, the logs show that the text on the homepage hasn’t been changed for three years.

There has been no hacks into WordPress. Nobody has logged in except me.

The spammy text advertising GetStrattera only appears on selected computers. Can you see it on yours?

How can we fix this issue please?

Extract from website:

“Welcome to ...
When you are faced with a legal issue we are within easy reach and have the necessary expertise and experience to help you resolve it promptly and cost-effectively by listening to you and understanding your concerns and queries.
I have been using this for three years and GetStrattera helps me. I paid more attention to school. I did not have any side effects, but all drugs can have different consequences for other people.
... is a commercial and business law practice with expertise in property, litigation, landlord and tenant, wills and probate and other fields. We are based in Kensington with a broad client base in the United Kingdom and internationally.”

[edited by: travelin_cat at 11:17 pm (utc) on Nov 24, 2017]
[edit reason] Removed specifics per TOS [/edit]

1Lit

9:43 pm on Nov 24, 2017 (gmt 0)

10+ Year Member

I wasn't able to highlight the erroneous text above. It is the middle of the text about the legal firm. It is:

"I have been using this for three years and GetStrattera helps me. I paid more attention to school. I did not have any side effects, but all drugs can have different consequences for other people."

As I was saying, this text is nowhere to be found in the copy or code of the website.

lucy24

10:22 pm on Nov 24, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

First the bad news: A moderator will shortly come along and edit your posts, because you're not allowed to name your own site. You also probably don't want the spam site's name to be deducible, since that's exactly the advertising they are looking for.

Checking internal logs was an excellent first move. I'm assuming you can tell the difference between really-you and someone-pretending-to-be-you. You should also check the site's htaccess file and confirm that it hasn't been changed recently. (I tend to think you will not find anything wrong, but check anyway.) In a sense you've got the mirror opposite of the more common problem where someone else's site is showing your content.

The spammy text advertising {spammy product} only appears on selected computers.

Well, that's a clue. Which selected computers? (Not mine.) What do they have in common? In particular, do they all use the same ISP, or belong to the same local network?

1Lit

10:46 pm on Nov 24, 2017 (gmt 0)

10+ Year Member

The Wordpress installation has, indeed, been compromised!

If I disable CSS the dodgy text shows for me, in several DIV elements with specific ID's (eg id="bromptons-9f2o" ) which appear to be injected by probably a rogue or compromised script.

The infiltration only appears when CSS is turned off. See image here [i.imgur.com] of the code which shows the text added via the hack.

Problem is I have no idea how to fix it as so many files, scripts etc. that could be causing it?

All the plugins and Wordpress are already up-to-date. Have had various security plugins such as Securi and Wordfence installed for years.

1Lit

10:50 pm on Nov 24, 2017 (gmt 0)

10+ Year Member

Thank you lucy24. Very much appreciate your feedback and input.

Obviously I'm not looking to advertise the website having suffered the hack - or the spammer's website! Might help if the spammer's website appears in the SERPs for the hacking issue so other people can resolve the issue if they're also suffering it.

But I totally respect WW's community guidelines. I can't edit my post above, but any moderator is welcome to edit or remove anything if they should wish.

Many thanks.

TorontoBoy

11:07 pm on Nov 24, 2017 (gmt 0)

Top Contributors Of The Month

Immediately change all your WP admin passwords, as well as your host provider cPanel, FTP, etc passwords.

Your WP can be hacked by hacking your passwords. Tools such as WPScan, available on Github, can do a login attack on your login ID against a standard password file. Once they have an admin ID they have free run of the house.

Just because your plugins are current does not mean they are not a vulnerability. Most WP sites are hacked through plugins.

I could not reach your site. If you can find the errant div, then you might be able to find out where the div was inserted, such as a new CSS file, or a new include?

keyplyr

12:09 am on Nov 25, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Appears you're resolved your "hacked" issues. The site displays normally... however, you have bigger issues. Putting an Ad at the very top followed by a huge animated file is terrible SEO. Your site took over a minute to fully load.

It may load fast for you since your browser has cached those files, but for the new visitor, you likely are giving them a poor experience and many may just leave.

Since Google is in the process of updating to the Mobile-First Index [webmasterworld.com] where speed is a ranking factor, you should consider moving your Adsense down the page and replacing the animated graphic with something that loads a lot faster.

1Lit

1:02 am on Nov 25, 2017 (gmt 0)

10+ Year Member

Keyplyr - thanks a million for your input. It is greatly appreciated. I understand you are referring to the website in my profile. I am totally in alignment with you re: that site. It's an old site - using flash, not responsive - and so I'm planning to build an entirely new site when I can some time away from working on clients' websites! Thank you. The actual issue is with another site. But I am not allowed to refer to it at all on WW, so you won't be able to check. I can still see the issue of the spam text appearing (as per the screenshot here [i.imgur.com]) in my browser when I turn off the CSS.

TorontoBoy: we’ve now done everything we can. For instance, we have deleted and restored all the files and the database to versions from several months ago, but the spam text is still there!

You stated: "If you can find the errant div, then you might be able to find out where the div was inserted, such as a new CSS file, or a new include?". How can I find out how the errant DIV is entered into the code please? It's not in the style.css or other .css files.

Any ideas what we can do please?

NickMNS

2:16 am on Nov 25, 2017 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

The screen shot shows a script that is calling a JS function named bromptons9f2(). So elsewhere on the page there should be reference to another JS script where this function is defined. Likely places to find it would be in the <head> or near the <body> or before the </body> tags but it could be any where really. The script is most likely an external script. This is most likely finding its way on the page by a server side injection. So you would need to search for it using dev-tools (right click and select "inspect element" or ctrl-shift c in Chrome). If you just check the page source it will not there.

TorontoBoy

3:07 am on Nov 25, 2017 (gmt 0)

Top Contributors Of The Month

I may be hallucinating, but this sounds like the old Wordpress Pharmacy hack of years ago, just a little different. I had to go into myPHPAdmin and search for the string.

Where do you see the pharma text? A post, or a page? I'd first individually disable each plugin to see if the div goes away. Next would be to check if the theme has been changed in any way. If that does not work then switch your theme to a standard one like 2016 or 2017 and see if the pharma text disappears. Usually it is the plugins or the theme that has a vulnerability.

If you can see an errant div it must come from somewhere. I usually use something like Firebug to find the css class. The div "bromptons-9f20" and the script "bromptons92f()" must be somewhere in your code, some file. Dig until you find it.

1Lit

9:13 am on Nov 25, 2017 (gmt 0)

10+ Year Member

Thank you for the help NickMNS and ToronotoBoy. It's massively appreciated.

I will do what you both suggest.