Welcome to WebmasterWorld Guest from 54.80.189.255

Forum Moderators: rogerd & travelin cat

Erroneneous spam text appearing when view webpage but not in WordPress

Text is advertising dodgy pharmaceuticals website. Doesn't exist in code

     
9:36 pm on Nov 24, 2017 (gmt 0)

Preferred Member from GB 

10+ Year Member

joined:Feb 22, 2002
posts: 447
votes: 0


We have a bizarre issue with the homepage of our WordPress website. In one paragraph it has jumbled up letters in the display.

A couple of lines in the second paragraph are showing superimposed on top of one another.

When we highlighted the text to copy and paste, see below, it seems to be all there but not visually. The spammy wording highlighted in bold (see below) is scary!

I’ve checked the website copy and code and the text advertising GetStrattera, which is hyperlinked to the GetStrattera website (which is a dodgy pharmaceuticals website), doesn’t appear anywhere in WordPress or via Control Panel searches.

Indeed, the logs show that the text on the homepage hasn’t been changed for three years.

There has been no hacks into WordPress. Nobody has logged in except me.

The spammy text advertising GetStrattera only appears on selected computers. Can you see it on yours?

How can we fix this issue please?

Extract from website:

“Welcome to ...
When you are faced with a legal issue we are within easy reach and have the necessary expertise and experience to help you resolve it promptly and cost-effectively by listening to you and understanding your concerns and queries.
I have been using this for three years and GetStrattera helps me. I paid more attention to school. I did not have any side effects, but all drugs can have different consequences for other people.
... is a commercial and business law practice with expertise in property, litigation, landlord and tenant, wills and probate and other fields. We are based in Kensington with a broad client base in the United Kingdom and internationally.”

[edited by: travelin_cat at 11:17 pm (utc) on Nov 24, 2017]
[edit reason] Removed specifics per TOS [/edit]

9:43 pm on Nov 24, 2017 (gmt 0)

Preferred Member from GB 

10+ Year Member

joined:Feb 22, 2002
posts: 447
votes: 0


I wasn't able to highlight the erroneous text above. It is the middle of the text about the legal firm. It is:

"I have been using this for three years and GetStrattera helps me. I paid more attention to school. I did not have any side effects, but all drugs can have different consequences for other people."

As I was saying, this text is nowhere to be found in the copy or code of the website.
10:22 pm on Nov 24, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14715
votes: 614


First the bad news: A moderator will shortly come along and edit your posts, because you're not allowed to name your own site. You also probably don't want the spam site's name to be deducible, since that's exactly the advertising they are looking for.

Checking internal logs was an excellent first move. I'm assuming you can tell the difference between really-you and someone-pretending-to-be-you. You should also check the site's htaccess file and confirm that it hasn't been changed recently. (I tend to think you will not find anything wrong, but check anyway.) In a sense you've got the mirror opposite of the more common problem where someone else's site is showing your content.

The spammy text advertising {spammy product} only appears on selected computers.
Well, that's a clue. Which selected computers? (Not mine.) What do they have in common? In particular, do they all use the same ISP, or belong to the same local network?
10:46 pm on Nov 24, 2017 (gmt 0)

Preferred Member from GB 

10+ Year Member

joined:Feb 22, 2002
posts: 447
votes: 0


The Wordpress installation has, indeed, been compromised!

If I disable CSS the dodgy text shows for me, in several DIV elements with specific ID's (eg id="bromptons-9f2o" ) which appear to be injected by probably a rogue or compromised script.

The infiltration only appears when CSS is turned off. See image here [i.imgur.com] of the code which shows the text added via the hack.

Problem is I have no idea how to fix it as so many files, scripts etc. that could be causing it?

All the plugins and Wordpress are already up-to-date. Have had various security plugins such as Securi and Wordfence installed for years.
10:50 pm on Nov 24, 2017 (gmt 0)

Preferred Member from GB 

10+ Year Member

joined:Feb 22, 2002
posts: 447
votes: 0


Thank you lucy24. Very much appreciate your feedback and input.

Obviously I'm not looking to advertise the website having suffered the hack - or the spammer's website! Might help if the spammer's website appears in the SERPs for the hacking issue so other people can resolve the issue if they're also suffering it.

But I totally respect WW's community guidelines. I can't edit my post above, but any moderator is welcome to edit or remove anything if they should wish.

Many thanks.
11:07 pm on Nov 24, 2017 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 330
votes: 23


Immediately change all your WP admin passwords, as well as your host provider cPanel, FTP, etc passwords.

Your WP can be hacked by hacking your passwords. Tools such as WPScan, available on Github, can do a login attack on your login ID against a standard password file. Once they have an admin ID they have free run of the house.

Just because your plugins are current does not mean they are not a vulnerability. Most WP sites are hacked through plugins.

I could not reach your site. If you can find the errant div, then you might be able to find out where the div was inserted, such as a new CSS file, or a new include?
12:09 am on Nov 25, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:11512
votes: 700


Appears you're resolved your "hacked" issues. The site displays normally... however, you have bigger issues. Putting an Ad at the very top followed by a huge animated file is terrible SEO. Your site took over a minute to fully load.

It may load fast for you since your browser has cached those files, but for the new visitor, you likely are giving them a poor experience and many may just leave.

Since Google is in the process of updating to the Mobile-First Index [webmasterworld.com] where speed is a ranking factor, you should consider moving your Adsense down the page and replacing the animated graphic with something that loads a lot faster.
1:02 am on Nov 25, 2017 (gmt 0)

Preferred Member from GB 

10+ Year Member

joined:Feb 22, 2002
posts: 447
votes: 0


Keyplyr - thanks a million for your input. It is greatly appreciated. I understand you are referring to the website in my profile. I am totally in alignment with you re: that site. It's an old site - using flash, not responsive - and so I'm planning to build an entirely new site when I can some time away from working on clients' websites! Thank you. The actual issue is with another site. But I am not allowed to refer to it at all on WW, so you won't be able to check. I can still see the issue of the spam text appearing (as per the screenshot here [i.imgur.com]) in my browser when I turn off the CSS.

TorontoBoy: we’ve now done everything we can. For instance, we have deleted and restored all the files and the database to versions from several months ago, but the spam text is still there!

You stated: "If you can find the errant div, then you might be able to find out where the div was inserted, such as a new CSS file, or a new include?". How can I find out how the errant DIV is entered into the code please? It's not in the style.css or other .css files.

Any ideas what we can do please?
2:16 am on Nov 25, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:1864
votes: 470


The screen shot shows a script that is calling a JS function named bromptons9f2(). So elsewhere on the page there should be reference to another JS script where this function is defined. Likely places to find it would be in the <head> or near the <body> or before the </body> tags but it could be any where really. The script is most likely an external script. This is most likely finding its way on the page by a server side injection. So you would need to search for it using dev-tools (right click and select "inspect element" or ctrl-shift c in Chrome). If you just check the page source it will not there.
3:07 am on Nov 25, 2017 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 330
votes: 23


I may be hallucinating, but this sounds like the old Wordpress Pharmacy hack of years ago, just a little different. I had to go into myPHPAdmin and search for the string.

Where do you see the pharma text? A post, or a page? I'd first individually disable each plugin to see if the div goes away. Next would be to check if the theme has been changed in any way. If that does not work then switch your theme to a standard one like 2016 or 2017 and see if the pharma text disappears. Usually it is the plugins or the theme that has a vulnerability.

If you can see an errant div it must come from somewhere. I usually use something like Firebug to find the css class. The div "bromptons-9f20" and the script "bromptons92f()" must be somewhere in your code, some file. Dig until you find it.
9:13 am on Nov 25, 2017 (gmt 0)

Preferred Member from GB 

10+ Year Member

joined:Feb 22, 2002
posts: 447
votes: 0


Thank you for the help NickMNS and ToronotoBoy. It's massively appreciated.

I will do what you both suggest.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members