footer_top.php File – Banner Ad or Hacker File?

Home Forums BulletProof Security Free footer_top.php File – Banner Ad or Hacker File?

Tagged: , ,

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • February 9, 2013 at 8:57 am #1877
    Rick
    Member

    I keep getting a footer_top php page added to my WordPress site, so I added BulletProof Security about a month ago per a recommendation from another Wordpress user.  Now today, this mysterious footer_top page appeared again and adds links and advertisements to my website before the header.  Not sure what to do other than keep removing the footer_top page. 
    How can I stop someone from adding this mysterious page?
    Thanks,
    Rick

    February 9, 2013 at 9:28 am #1878
    AITpro Admin
    Keymaster

    The footer_top.php file is most likely a hacker file, but it could also be some sort of forced Ad banner bundled with a Theme.  I would need to look at the file to tell you which it is – hacker file or forced Ad banner.  Send the footer_top.php file to info at ait-pro dot com.

    If your site is hacked then removing the the end result or obvious hacker malicious files does not mean your website is not still hacked.  A typical website hack consists of uploading hacker files or injecting several website files – a hacker Shell script, hacker helper files – Code Injected files or common functional files modified, hidden backdoor hacker files and the end result or obvious malicious files.

    So there really is not a way to find all hackers files with a scanner.  The only way to know 100% that none of these hacker files exist on your website is to restore the website from a good backup or if you do not have a good backup then you will need to make a complete backup of files and your database and then delete your site and create a new site and import your backed up data and files back to your website. 

    See this Forum link for more information

    http://forum.ait-pro.com/forums/topic/website-is-already-hacked-will-bps-pro-automatically-fix-or-remove-the-hackers-files-and-code/

     

    March 10, 2013 at 11:11 am #2725
    Rick
    Member

    Sorry for the delay on this.  I accidently deleted the file when I removed it and one just showed up again, so I sent in via info at ait-pro dot com.

    I’m looking at getting the pro version to have as much security as possible on my site.  Would this help?

    Thanks!

    Rick

    March 10, 2013 at 12:19 pm #2726
    AITpro Admin
    Keymaster

    Yep, this is a hacker’s file.  It uses a combination of hex, octals and base64 to obsfucate the hacker’s code.

    BPS Pro would quarantine this file, but you need to completely ensure that you website is not hacked before installing BPS Pro.  BPS Pro is like a bank vault door.  If the robbers are already in the bank vault then BPS Pro can only do limited things to prevent the robbery from progressing further.  Please see this Forum link below.

    http://forum.ait-pro.com/forums/topic/website-is-already-hacked-will-bps-pro-automatically-fix-or-remove-the-hackers-files-and-code/

    March 10, 2013 at 1:49 pm #2731
    AITpro Admin
    Keymaster

    Actually I decoded the file and it appears to be some kind of Russian link exchange debugging file.  The Russian website that is offering this link buying and exchange service is sape.ru.  You will find 2 files in your WordPress uploads folder and you will see that /wp_system/ folder is indexed if you enter your domain name below and check out your website.

    http://www.add-your-domain-name-here.com/wp-content/uploads/wp_system/

    If you would like to decode the file yourself to look at the code you can do this by using this code below, which will decode both the hex and base64 code to display the actual php code.

    <?php
echo '<pre>';
echo utf8_decode( base64_decode($ccbGPU));
echo '</pre>';
?>
    March 10, 2013 at 2:18 pm #2734
    AITpro Admin
    Keymaster

    Also Google is recently going after websites that use the SAPE link buying services and apparently penalizing sites that are using it.  😉

    June 30, 2013 at 9:28 pm #7293
    Cristian
    Participant

    Hello, my name is Cristian and I’m the Editor at an Android tech site called Android Unite. I came across a file tonight labeled footer_top.php which I had never seen before in my theme files and after a quick search I landed on your site. Would you be so kind as to review the php file and let me know if it is malicious I would really appreciate it. Thank you.

    July 1, 2013 at 7:01 am #7301
    AITpro Admin
    Keymaster

    Sure send it to info [at] ait-pro [dot] com and we will tell you if this is a regular theme file or a malicious file.

    July 1, 2013 at 11:35 am #7326
    AITpro Admin
    Keymaster

    I decoded the file and it is the same exact file.  It has to do with the Russian link exchange service explained above – sape.ru

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.