Support » Fixing WordPress » Bizarre Malicious Hack: All outbound links noindex nofollow

  • Almost by accident I discovered that one of our clients’ WordPress sites had been maliciously hacked.

    The only symptom was that every outbound link (which were created to help support her other site) had been wrapped in a <noindex> tag and the rel="nofollow" attribute had been added to the link itself.

    There were none of the other usual signs of a hack (no malware being distributed, no links inserted to other sites, etc.).

    I was going to start a topic here to request help with diagnosis, but we discovered what was causing the symptoms. Someone had installed & activated a plugin with the name “WPRef.” It listed its plugin site as “code.google.com” and its author as Sergei Brin (thanks for the stupid joke).

    In any case… I’m wondering if anyone has seen this kind of hack job before? I’ve looked endlessly and can’t find a reference to it anywhere. I’ve written up the entire experience in more detail here.

    Logging in via FTP and comparing it to our backups, I can tell that the plugin was installed on February 10th, 2011 (one week after I upgraded the site to 3.0.4).

    We’ve assumed that to activate this plugin, someone would’ve had to have cracked an admin-level user’s password via brute force. We’ve since removed the “admin” account, changed all passwords and are working to harden the site.

    Any input or thoughts are welcome. Otherwise, I hope this helps someone else if you see a similar attack.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    Sucuri.com has a scan tool, and a plugin that can helps scan your files. http://blog.sucuri.net/2011/03/yet-another-wordpress-security-post-part-two.html

    There’s also a plugin called WordPress Security Scan, which I would use to check for files that have been compromised.

    How? Well server security for one. Change the server passwords and reupload, from the wordPress repository, every plugin and the whole WP core code. If you have a hacked file, it can transmit your passwords to the hacker.

    Also check the very very very obvious. Did your user do something stupid like upload a plugin they don’t know what it does? Happens often 🙂

    Thread Starter David G. Johnson

    (@haveanepiphany)

    Thanks, Ipstenu. Unfortunately, I don’t know what that tool could’ve possibly found. It looks like a legitimate plugin.

    We’ve gone through the code and can tell you that (as I mentioned) there were no other symptoms.

    Also, we (my company) control the only user accounts with sufficient privileges to add plugins, so the client is out of the equation. We thought of this, naturally. But as I mentioned, the plugin that was installed cannot be found anyway — neither in the plugin repository here on WordPress.org nor anywhere else on the web. This is part of the evidence linking this to a malicious attack, IMHO.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    If you’re 100% sure you’ve looked at every line on code in every file on your WP install and you can personally account for every piece of it, then it’s a server hack.

    Now that said, it’s a little implausable to think that you actually could do what I just said. I mean, I bet even the core devs aren’t 100% familiar with everything. You’d want to run a DIFF between a known clean install, i.e. fresh off the WP repository, and your site, to say the least. So without knowing HOW you’ve “gone through the code” I cannot, and probably will not, be convinced you did it well enough to be 100% absolutely positive you checked everything. This is nothing personal! I just don’t want you to be hacked again!

    Still. Assuming it IS a server hack, it’s easy to change server passwords (the FTP account), and it’s not time consuming to delete the WordPress files and copy up fresh ones (plugins, themes AND core, really, you want to do this – better safe than sorry!). As for the database… You’ll need to search that for anything ‘weird’ and I cannot be more specific :/ It’s a pain in the ass to look for the unknown.

    Further reading:
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/
    http://ottopress.com/2011/how-to-cope-with-a-hacked-site/

    Thread Starter David G. Johnson

    (@haveanepiphany)

    Thanks, Ipstenu. Hopefully your primer will be useful to those that read this. This most likely isn’t a server hack, but clearly a WP admin account hack.

    Far more important, as far as I’m concerned, is to create awareness about this plugin. I saved the plugin file and wanted to make sure that there’s material out here for others to find in case it turns up elsewhere.

    Thanks again for your input.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    This most likely isn’t a server hack, but clearly a WP admin account hack.

    I would not be willing to put money on that assumption. Just by my own experience, these are more often caused by insecure servers than insecure WP admins. Check your server logs for that date, though, and see if anything shows up hinky. Deleting the default admin account is always good, but there are other things you can do to secure your admin area (lock it down by IP etc etc – see http://codex.wordpress.org/Hardening_WordPress )

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Bizarre Malicious Hack: All outbound links noindex nofollow’ is closed to new replies.