techniclog

Technical logs..

WordPress Spam Injection

with 3 comments

I have another WordPress blog which I have hosted on a separate server. It got hit by wordpress spam injection. Thanks to numerous posts on the web (like this, this and this) that helped me a great deal in figuring out how to resolve it.

After the attack, if I did a ‘view source’ on any webpage I could see a huge set of unwanted links embedded at the bottom of the page (started and ending with comments <!–linksdfs–> and <!–linksbaj–>). Website audience cannot see these links but google (and other) bot(s) obviously see them and it brings down the site rating and ranking 😦 (apart from affecting the automated ads on the site)

It seems the version of WordPress that I was using (2.7.x) had a security loophole. (I never cared to update the version since I had made some changes in WordPress core files as well which I did not want to change all over again)

I think it all started when a new user with the username “awofbn” and email address “lokopomz@melice123.com” became a registered user of my blog. I also found two malicious files named “wp-ufyy.php” and “wp-psld.php” in /public_html. These files had strange functions like eval(gzinflate(base64_decode(….))) etc. Also, the spam links were found in /public_html/index.php To get past the error, I did the following:

  1. Deleted wp-ufyy.php and wp-psld.php from /public_html
  2. Deleted the blog user “awofbn”.
  3. Removed the extraneous spam links from /public_html/index.php.
  4. Backed up my database and entire blog and upgraded to 3.0.4 (as explained pretty neatly here)
  5. Made all the manual changes to the core files and plugins again (luckily I had added comments with all the modifications with a common prefix – so could search them quickly from the backup)

I also used SpamCheckr. It’s a great tool to check if your website is affected with spam/malware.

Google WebMaster Tools also show a lot of strange keywords which dont belong to my site. Have submitted a reconsideration request to Google explaining them the situation and the corrective measures that I have taken.

Update 1: I used this plugin , referred here. It turned out that there were still a bunch of malicious files left in the folder /wp-includes/js/tinymce/themes/advanced/skins/default/img/ with malicious code in it. Have deleted all the files here which were _not_ images (most of them looked suspicious based on their content and timestamps)

Update 2: Also found a couple of strange users registered on the site (apart from the one mentioned above) and deleted them (searched for their email adds on google and found forums where other people have confirmed that they were spammer’s email addresses). I have now put captchas on the registration page to avoid spammer bots to register automatically.

Update 3: I am getting a pro at it now! Learnt about this plugin from here. Have installed it – it’s a great tool for securing your WP site.

Advertisements

Written by techniclog

January 28, 2011 at 11:36 am

Posted in Tech

3 Responses

Subscribe to comments with RSS.

  1. we got hack, we have fix it but it happen again,

    any suggestion for us?
    thanks

    frank

    March 29, 2012 at 1:08 am

  2. Your information helps us,thanks

    reni

    April 24, 2012 at 5:06 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: