techniclog

Technical logs..

Archive for January 2011

WordPress Spam Injection

with 3 comments

I have another WordPress blog which I have hosted on a separate server. It got hit by wordpress spam injection. Thanks to numerous posts on the web (likeĀ this, this and this) that helped me a great deal in figuring out how to resolve it.

After the attack, if I did a ‘view source’ on any webpage I could see a huge set of unwanted links embedded at the bottom of the page (started and ending with comments <!–linksdfs–> and <!–linksbaj–>). Website audience cannot see these links but google (and other) bot(s) obviously see them and it brings down the site rating and ranking šŸ˜¦ (apart from affecting the automated ads on the site)

It seems the version of WordPress that I was using (2.7.x) had a security loophole. (I never cared to update the version since I had made some changes in WordPress core files as well which I did not want to change all over again)

I think it all started when a new user with the username “awofbn” and email address “lokopomz@melice123.com” became a registered user of my blog. I also found two malicious files namedĀ “wp-ufyy.php” and “wp-psld.php” in /public_html. These files had strange functions likeĀ eval(gzinflate(base64_decode(….))) etc. Also, the spam links were found in /public_html/index.php To get past the error, I did the following:

  1. Deleted wp-ufyy.php andĀ wp-psld.phpĀ from /public_html
  2. Deleted the blog user “awofbn”.
  3. Removed the extraneous spam links from /public_html/index.php.
  4. Backed up my database and entire blog and upgraded to 3.0.4 (as explained pretty neatly here)
  5. Made all the manual changes to the core files and plugins again (luckily I had added comments with all the modifications with a common prefix – so could search them quickly from the backup)

I also usedĀ SpamCheckr. It’s a great tool to check if your website is affected with spam/malware.

Google WebMaster Tools also show a lot of strange keywords which dont belong to my site.Ā Have submitted a reconsideration request to Google explaining them the situation and the corrective measures that I have taken.

Update 1: I used this plugin , referred here. It turned out that there were still a bunch of malicious files left in the folder /wp-includes/js/tinymce/themes/advanced/skins/default/img/ with malicious code in it. Have deleted all the files here which were _not_ images (most of them looked suspicious based on their content and timestamps)

Update 2: Also found a couple of strange users registered on the site (apart from the one mentioned above) and deleted them (searched for their email adds on google and found forums where other people have confirmed that they were spammer’s email addresses). I have now put captchas on theĀ registrationĀ page to avoid spammer bots to register automatically.

Update 3: I am getting a pro at it now! Learnt about this plugin from here. Have installed it – it’s a great tool for securing your WP site.

Advertisements

Written by techniclog

January 28, 2011 at 11:36 am

Posted in Tech

Hi there..

leave a comment »

Hi all

Off-and-on in life, we face a lot of interesting technical issues. I have started this blog to write down about the technical issues that I face (probably with their resolutions) so that people who face the same may benefit from the research already done.

Thanks.

Written by techniclog

January 28, 2011 at 10:55 am

Posted in Tech