Forums

WordPress › Support » How-To and Troubleshooting

All Spammed Up & Frustrated (23 posts)

  1. mackhardcore
    Member
    Posted 3 weeks ago #

    This may be a common thing, or it may be something else.... but at the end of my posts on my website, somehow - someway some person or thing is "editing" my posts and writing ads for "the blue pill" and other pills, and quite frankly I have tried everything to stop them.

    1. I am using the new 2.5.

    2. I am upgraded.

    3. I have changed my password to superstrong (have to like cut and past the thing it's so strong)

    4. I have shut down "anyone can register" and would even suggest a "no one can post but me button, but can't find it..."

    In other words, anyone else with this problem and anyone got it resolved or figured out? They can't be getting my password, I have changed it a few times and each day more "the blue pill" ads....

    Viva' Frus-tra-ted,
    Mack

  2. whooami
    Member
    Posted 3 weeks ago #

    its not supposed to be common, but its getting there..

    if its a reoccurring thing, I highly recommend putting some logging in place.

    http://www.village-idiot.org/post-logger/

    the more people using it, the better chance of actually getting to the root cause.

  3. mackhardcore
    Member
    Posted 3 weeks ago #

    Thank you Whooami! I appreciate the logging plug-in, is there a collective group that is reviewing the log files in order to find the root cause? If so, I want to join! :)

  4. mechx1
    Member
    Posted 3 weeks ago #

    You may have been hacked. It might be that some software has been installed on your server that is adding ads to the posts automatically. If the ad is never the same, they have to be coming from somewhere. You should look at some of the other threads such as this
    iframe hack
    and others.
    Try looking in your database with phpmyadmin to see if these is a user in there you don't recognize, and doesn't show up in your admin panel. Also, if you have a clean copy of your last upgrade, do a file compare, see if any have changed or if there are any new ones. In particular, check wp-content and your plugins

  5. mackhardcore
    Member
    Posted 3 weeks ago #

    I just upgraded to 2.5 yesterday, and I just read about the i-Frames injection as well on the post link you gave me. I am going to go exploring and see what I can find.....

  6. mackhardcore
    Member
    Posted 3 weeks ago #

    I just found this in the source code of one of my hacked posts:

    http://streetblast.com/hackercode.htm

    What does it mean?

  7. whooami
    Member
    Posted 3 weeks ago #

    is there a collective group that is reviewing the log files in order to find the root cause ..

    No, however if you keep an eye on what happens daily in that file, an attmepted or successful exploit is going to hit you in the face.

    There is one exception to the logging.. it doesnt handle xmlrpc requests (I dont think) -- I havent actually tested it to be sure.

    IF you are exploited again, and there is nothing in that logfile, then the second place to look is your own web server logs. If they didnt use a $_POST then they used a $_GET, and gets show up in Apache logs, obviously.

    If theres nothing suspicious in either of the 2, assuming my plugin doesnt capture xmlrpc requests .. then there's the culprit file. (Process of elimination) In which case you can turn on logging inside xmlrpc.php. Or even do that before hand.

    I should also mention that I think people need to pay very careful attention to the IPs they see accessing anything behind wp-admin/ obviously. I'm hoping that the people using that are questioning anything that doesnt look like something that isnt run of the mill spam comments, or their own work.

  8. Otto42
    Moderator
    Posted 3 weeks ago #

    From a quick glance at it, xmlrpc.php includes wp-config, so plugins do get loaded and the init action is executed. So it should log those too.

  9. whooami
    Member
    Posted 3 weeks ago #

    cool. I just tested one other thing that I had forgotten about initially and thats $_POST requests to plugins.. apparantly theyre lost. Atleast the plugin I tested. Thats a shortcoming that might be hard to overcome.

  10. Otto42
    Moderator
    Posted 3 weeks ago #

    That's because you're depending on init. You could simply save the post data immediately instead of being a function hooked to an action. Then you'll capture that stuff, if your plugin happens to load before the other plugin.

    Or stick the code into the "my-hacks.php" file in the WordPress root folder, then enable the "legacy my hacks" option in the settings. The my-hacks.php file always loads right before plugins do.

  11. whooami
    Member
    Posted 3 weeks ago #

    hmm.. so youre saying, I dont need the hook? That cant be right because I dont use the plugin-ized version of this. Ive hardcoded mine into wp-config.php and it wont capture the plugins.

    I must not understand. Though I might try the legacy hacks thing just to see.

  12. Otto42
    Moderator
    Posted 3 weeks ago #

    You don't need the hook, correct.

    Your hardcoded one in wp-config happens after wp-settings is included, yes? The plugins are loaded by wp-settings. If you move your stuff before that, you'll capture it.

  13. mackhardcore
    Member
    Posted 3 weeks ago #

    Thank you, did anyone look at the HTML code to see if it made any sense on where it was coming from? There are a lot of "forums" mentioned, and I don't understand why.

    Thanks in advance for everyone's help on this, I truly appreciate it! :)

  14. whooami
    Member
    Posted 3 weeks ago #

    hmm, yeah I see that. Trying it though, even at the beginning of wp-settings.php dosnt seem to work. hmmm.

    That did give me another idea, though.

  15. mackhardcore
    Member
    Posted 3 weeks ago #

    I just noticed that someone deleted my link to the text page with the code the hacker person or thing left on my blog to "edit my posts" with ads about the "little blue pill" - this has not stopped.

    Did anyone see the code before it was removed (sorry if I violated something, I could not post it on here for some reason) - and did anyone have any suggestions on what it all meant?

    Thanks for your help in advance.

  16. jeremyclark13
    Moderator
    Posted 3 weeks ago #

    [Posts released from Askimet]

  17. whooami
    Member
    Posted 3 weeks ago #

    I didnt see it, what was it??? I wanna see it, whatever it was.

    edit: oh that up there ^^ who knows.

  18. Otto42
    Moderator
    Posted 3 weeks ago #

    mackhardcore: The actual code they post on the page is pretty much irrelevant. That's just the payload, their spam. What you need to work out is how they're doing it.

    If they're putting it into posts, then it's quite likely that when your site was hacked, a hidden user account was created to let them do it. Look in the database using phpMyAdmin and examine the contents of the users table.

  19. mackhardcore
    Member
    Posted 3 weeks ago #

    I am doing that now. I do have a question though, I also use a plug-in called "audit trail" and I am very surprised that it does not show the user name of the person by the post edits. It does show the posts that are edited, etc - and their IP, but it does not show the user name.

    Anyway I printed a list of users from my phpMyAdmin, and I am going to compare. It will take some time.

    I would also like to thank you Otto, and Whooami for your continued help and advice - it means the world to me! :)

  20. mackhardcore
    Member
    Posted 3 weeks ago #

    Ok, this is where I curl up into the fetal position and start to cry. Tonight, over 30 of my posts have "hidden" injection spam for every pill on the planet, and I have done the following:

    1. Printed off a list of all my users, and compared them to WP - nothing stood out, everyone matched up, no outsiders.

    2. The log file plugin gave me some errors, so that didn't work - although it's mainly because I am probably doing something majorly wrong.

    3. Most of my spam comes from particular (seemingly static) IP addresses.... namely this one:

    OrgName: NetNation Communications Inc
    OrgID: NNC
    Address: Bentall Tower 5, Suite 200
    Address: 550 Burrard Street
    City: Vancouver
    StateProv: BC
    PostalCode: V6C-2B5
    Country: CA

    64.40.96.0 - 64.40.127.255

    I have combed my template, and upgraded to 2.5.1, prayed to every God on the planet, sprinkled salt, holy water, and it's like some magic Gremlin is getting in....

    The ads are changing, mainly just lines of text with pill names that are links - BUT - they are hidden, you can't see them in the post, it's in the HTML, and in the post when I view it from the Admin side.

    So, I see in Audit Trail that the post has been modified (or in my case 30 posts have been modified) - I click the link, I see my post, and down below is a bunch of hyperlinks that would make any pill popper happy.

    So then I go to the HTML viewer, delete the code, resave and it's gone - until they re-inject it.

    The hyperlinks are NOT visible on my blog to the public, which is weird to me. I think they have hacked in to shove keywords into my blog, that would - if I had enabled - "sway" my google ads or something - I mean, I have no idea why?

    Ok, so I am at a loss. I have no idea what is going on, but I would like to remedy this - and I need help.

    Anyone have a miracle?

  21. mackhardcore
    Member
    Posted 2 weeks ago #

    No miracles?

  22. whooami
    Member
    Posted 2 weeks ago #

    Check your email Jake, I replied.

  23. mackhardcore
    Member
    Posted 2 weeks ago #

    I gotcha! :) Thank you!! :))

Reply

You must log in to post.

About this Topic

Tags