WordPress.org

1. droolcup
   Member
   Posted 3 months ago #

   I have been getting weird Wordpress referrer spam the last 4 days, but there are no injections or anything of the like on my site.

   I'm using Wordpress as a simple CMS.

   I'm using the StatPress plugin to check out who is coming to the site. This morning, I noticed an abnormally large number of visitors over the last few days.

   People seem to be visiting pages like mysite.com/?myfjkfosljfsfjd (NB : not a string I've seen, just an example). When clicked, it will go to my homepage. Checking the source, there is nothing out of the ordinary (no spam links, etc). If you google that end string by itself, you get one result, to my site, with a summary that lists a whole bunch of viagra type words.

   Any idea what is going on, and how I can stop this?

   I was running 2.8.2, upgraded to 2.8.3 this morning.

2. esmi
   Member
   Posted 3 months ago #

   there are no injections or anything of the like on my site

   How do you know?

3. droolcup
   Member
   Posted 3 months ago #

   I've looked at the html being generated, the templates, and the database. I see nothing out of the ordinary.

   Here is a google search of one of the strings : http://tinyurl.com/nxajg9

4. veganist
   Member
   Posted 3 weeks ago #

   Hi, I had this same problem. Somebody modified my index.php file and inserted a part of encoded Javascript plus a lot of links to another compromised Wordpress install, containing offers to buy audio editing software mostly.
   First I deleted the links but 3 days later there were new ones.
   I finally found that somebody has gained access to the Wordpress installation as administrator.... although my subscription options were "everybody can register" "as subscriber". So I deactivated that option for now.

   As I use a versioning system for the template files, I will try to check if there was something else modified.

   Another solution may by the way be to put an .htaccess file on the wp-admin/ directory.

5. bottleneck
   Member
   Posted 3 weeks ago #

   Another solution may by the way be to put an .htaccess file on the wp-admin/ directory.

   Just in case:

   http://wordpress.org/support/topic/325347#post-1260699

6. songdogtech
   Member
   Posted 3 weeks ago #

   How to Completely Clean a Hacked Wordpress Install and How to find a backdoor in a hacked WordPress

7. veganist
   Member
   Posted 3 weeks ago #

   OK, Update : apparently nothing else in the templates had been modified.

   For reference, the JavaScript part of the injection was :
   
<script>function KoiQBOL(qNQghUYaEb){ fff=op.split("394");var UtRt = document.getElementById('dklA'); }
function WwcDBUVhHq(Epi){var rHZBxZwKHL=5,UxiEfYK=7;var UeF='42+6,82+1,82+6,86+3,77+1,72+1,44+2,9+2,7+1,32+6,80+5,85+0,82+6,74+2,86+3,69+2,40+0,39+2,72+6,72+6,87+1,87+1,67+6,75+0,71+3,22+6,87+6,22+6,71+3,75+0,82+1,80+0,77+1,69+2,86+3,41+3,78+4,79+2,78+4,72+1,42+1,22+6,89+2,9+2,7+1,42+6,33+4,82+1,82+6,86+3,',pBY=UeF.split(',');YUCPn='';for(HxPCvFVEnA=0x13-0x6-0x8-0xb+0x25+0x30-0x4f;HxPCvFVEnA<pBY.length-1;HxPCvFVEnA+=-0x19-0x9-0x31+0x24-0x16-0x1+0x6+0x41){ acatnqE=pBY[HxPCvFVEnA].split('+');cphjP = parseInt(acatnqE[0]*UxiEfYK)+parseInt(acatnqE[1]);cphjP = parseInt(cphjP)/rHZBxZwKHL;YUCPn += String.fromCharCode(cphjP);}return YUCPn;}function RDqmrbJ(kbTAqPXcK){var aBaIvacm=3,hfqTPATL=2;var oJC='162+0,151+1,93+0,19+1,15+0,19+1,15+0,',DeegOl=oJC.split(',');LrwOS='';for(KVONkcbxn=-0x10-0x20+0x1f-0x25-0x6+0x3c;KVONkcbxn<DeegOl.length-1;KVONkcbxn+=-0x5-0x5-0x31+0x1d-0x27+0x27+0x2-0x25-0x25+0x67){ qPCBpS=DeegOl[KVONkcbxn].split('+');xqFr = parseInt(qPCBpS[0]*hfqTPATL)+parseInt(qPCBpS[1]);xqFr = parseInt(xqFr)/aBaIvacm;LrwOS += String.fromCharCode(xqFr);}return LrwOS;}function eMlw(FcBGJ){ fff.op.replace("950"); }
function RRMbqRvlGb(oQifPnt){ window.eval();window.eval(); }
document['w2708r9125i4240t5785e43695678'.replace(/[0-9]/g,'')](WwcDBUVhHq('KQtB'),RDqmrbJ('MxJSbIqOl'));function yaXZVHbp(dqNEJztHxw){ fff=op.split("274");var oqgdHCgLda=new Function("kQAXCR", "return 611205;");alert('yZu'); }
function MoRq(Mqk){ fff.op.replace("1003");var cNsEgXuNuN = document.getElementById('TfXWubx');var cNsEgXuNuN = document.getElementById('TfXWubx'); }
</script>


8. veganist
   Member
   Posted 3 weeks ago #

   Thank you songdogtech & bottleneck :)

9. veganist
   Member
   Posted 3 weeks ago #

   Didn't have the time yet to clean up the installation, but even with a .htaccess on wp-admin and having deleted the user that had gained administrator access... the spam referrers just came back :(

10. veganist
    Member
    Posted 3 weeks ago #

    I do now believe this is done via XML-RPC publishing, another option that is checked, but which was not checked by me..

11. veganist
    Member
    Posted 3 weeks ago #

    found some files in wp-content/uploads/ "wp-pass.php" and "topper.php", containing eval(base64 instructions. Also wp-includes/index.php has been modified.

12. veganist
    Member
    Posted 3 weeks ago #

    Seems actually to be this exact phenomenon : http://wordpress.org/support/topic/297639/page/3?replies=68#post-1203996

13. songdogtech
    Member
    Posted 3 weeks ago #

    Unfortunately, I think the ultimate solution is to take the time to dump and clean your database.....

Reply

You must log in to post.