WordPress.org

Ready to get started?Download WordPress

Forums

SEO meta data hijacked / hacked by spam (25 posts)

  1. alexalready
    Member
    Posted 1 year ago #

    Recently noticed that some of my blog's meta-data (category titles and post meta title / description) seems to have been hijacked or hacked by spam.

    example screenshot: http://i.imgur.com/I5vEx.png
    example google results: http://www.google.com/search?q=braised+and+confused

    The links still seem to go the correct pages, but the meta title and text seems to have somehow changed to spam for viagra etc.

    Anyone have an idea how I can track this down and fix it?

    Do I have to do a full reinstall? =(

    I haven't backed up the database in maybe 3 months.

    Thanks in advance for any ideas or help!

  2. Matt
    Member
    Posted 1 year ago #

    I'm having this same problem with one of my sites right now as well. I'm investigating the plugins I have installed to see if one of those have been compromised. Do you have a list of plugins you're using? I'd like to compare and try and narrow it down.

  3. Spam hacked. See http://sitecheck.sucuri.net/results/braisedandconfused.com

    Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex. Change all passwords. Scan your own PC.

    Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting

    If you can't do the work yourself, consider looking for a reputable person to fix it correctly on jobs.wordpress.net or freelancing sites such as Elance. (It's not a good idea to respond to unsolicited emails from forums users offering to work for you.)

  4. alexalready
    Member
    Posted 1 year ago #

    Hey Matt,

    Sure. Here is a list of my plugins - let me know what you find.

    Active plugins:

    Akismet
    Flickr Gallery
    Google Analytics Tracking Code Embeder
    Lightbox Gallery
    Post Thumbnail Editor
    SEO Facebook Comments
    Social Slider by ARScode
    Twitter Facebook Social Share
    WordPress SEO

    Inactive plugins:

    AJAX Thumbnail Rebuild
    All in One SEO Pack
    blibahblubah
    Facebook Comments for WordPress
    fbLikeButton
    Hello Dolly
    Lightbox 3
    Open external links in a new window
    Picasa Album Uploader
    Random Redirect 2
    Taxonomy Dropdown Widget
    Twitter for WordPress
    WP Photo Album
    WP Picasa LightBox

  5. Matt
    Member
    Posted 1 year ago #

    Hey Alex,

    Looks like the only one we really have in common is Akismet. I was using Platinum SEO Pack, but I disabled it with the idea of upgrading to WordPress SEO by Yoast soon (started changing all my sites to that this past spring).

    I came across this article about the Pharma Hack and it seems to be something I had, having found one of the database mods. I'm still looking for the file mods:
    http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php

    Also plan on adding some of these as well (in addition to what songdogtech recommended above): http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow

    If you figure out a solution, let me know. I'll do the same. Thanks!

  6. alexalready
    Member
    Posted 1 year ago #

    Hey Matt,

    I really like the way the pearsonified tutorial is written - easy to understand. However I think it may be outdated as I was not able to find any of the naming conventions he mentioned in my plugins folder, nor was I able to find the values he mentioned in my database.

    I thing I don't understand is: if the file mods can have any naming convention and I simply have to look for ANY php file that looks "innocent" and suspicious - doesn't this search become next to impossible? And how can I verify once i open a suspicious php file that it is indeed a hack? The examples he posted don't even have the base64 or eval calls.

    looks like it's going to be a long process =(

    thanks for posting - let me know if you find anything new

  7. Matt
    Member
    Posted 1 year ago #

    Hey Alex,

    All good questions I don't know the answer to. :) I haven't found any suspicious looking files yet either, but since I did find one of those database entries, it gave me a little hope that I was on the right path. But yes, the article could be dated since it was from 2010, I think.

    I haven't gotten back to that site yet (other sites to work on too), but if I find anymore I'll happily share.

    Thanks!

  8. alexalready
    Member
    Posted 1 year ago #

    Update:

    I found out on another forum that my hosting provider (dreamhost) is able to support fixing the pharma hack

    I emailed them last night and they have run an automatic scan of all my files.

    They also quarantined the files that were clearly hacked - giving me the final say to delete them.

    Looks like they found and removed most of it and have listed off all possible entry points and which files i need to remove myself!

    So lesson is: check with your hosting provider they may save you a lot of time and trouble!

  9. Matt
    Member
    Posted 1 year ago #

    Hey,

    I'm jealous! lol That was easy for you. Unfortunately, I'm kind of on my own. We use Media Temple, which is more self-managed and I've been through this a couple times with them already and they offer some suggestions but don't really offer to give me the full scan and assistance treatment.

    Do let me know if there are any files from your Dreamhost list that need to be removed in maybe Akismet or another plugin that could give me some ideas as to where I might find mine.

    Thanks!
    Matt

  10. AndyB3ll
    Member
    Posted 1 year ago #

    Your host may have helped and you are not longer promoting
    but your site is not healed.
    https://www.google.com/search?q=braised+and+confused
    Google shows it as compromised

    I have been back and forth with this pharma hack particularly viagra for several months. I though it was settled, but not really.

    Here is what I found:
    1. sucuri is not that helpful as it shows your site as clean. Perhaps the title is clean but your site is still hacked.

    2. the hack modifies the
    wp-includes/general-template.php
    to insert encrypted code

    3. also links to a file .xml in the root folder (so this is also an ftp(?) hack

    4. and populates
    wp-includes/js/jcrop/index.html
    wp-includes/js/jcrop/paybepuezwdhtgq.php

    5. key clue is the 3 wp-includes files all have file date times of Oct 12, 2012 5:42 PM

    6. when not hacked the wp-includes/general-template.php file is ~76 kb when hacked is ~177kb

    7. deleting the code from inside or restoring the general-template.php would only last a short time I found about 5 minutes. Once I deleted the .xml file it no longer could insert the two helper files - but the website is 'broken' only the homepage works. Restoring the general-template.php fixes it.

    8. I went into the cPanel interface and marked the general-template.php file as read only.

    9. http://www.botsimulator.com/
    Is very helpful in seeing what the bots see.

    And our hack is not the same as the one alexalready is suffering as his posts are compromised. WOW!

    - - -
    This is a major ding on WordPress IMHO.
    I have used wordfences and better WP Security

    wordfences is nice in that you can see the live IP addresses hitting you site and block them

    I have literally spent days on this - and while not a web programmer (I have done quite a bit of Visual Basic and VBA.) So I am not a noob, but this hack is crafty work.

    Our site had reasonable security from the start and now is had both plug ins and my efforts at full tilt for the last 3 days and at best I feel I have only held it at detente.

    The hack is in a WP core file! Can't blame it on updates - always updated.

    Another day or two and we will probably migrate to another platform. For the time wasted on this, could have been spent much more productively.

    Yes - I did all the tips mentioned about including the htacess
    NONE of that helped. All the security advice on the web is outdated for the current round of attacks.

  11. @AndyB3ll; responding to an 11 month-old thread is not very helpful.

    Just because that site referenced above is still hacked means the owner hasn't done anything with it, not that WP has an ongoing vulnerability.

    What is the URL of your site? Who is your web host? What server OS?

    This is a major ding on WordPress IMHO.

    You don't understand the difference between a hack of WP due to a WP vulnerability and a hack of WP due to server vulnerabilities.

    The hack is in a WP core file! Can't blame it on updates - always updated.

    Very doubtful.

    Another day or two and we will probably migrate to another platform. For the time wasted on this, could have been spent much more productively.

    You're blaming the messenger, not the message.

    All the security advice on the web is outdated for the current round of attacks.

    Where exactly have you been looking and what have you been reading?

  12. alexalready
    Member
    Posted 1 year ago #

    Within the last 11 months I fixed the first hack and now I've been hacked again. Every post on my site has meta-data linking to viagra sites and I've been notified by google webmaster tools about it.

    I've paid for Securri and they were not able to fix the issue. I have a dozen different blog posts with ideas on how to fix it and none of them reproduce the same hack that I have.

    I'm currently trying to delete as much from my server as possible and do a fresh wordpress install to connect to my database.

    From what i understand, this might not even solve the problem because the vulnerability could be in the database itself.

    This has been a totally demoralizing experience.

  13. esmi
    Forum Moderator
    Posted 1 year ago #

  14. @alexalready said:

    this might not even solve the problem because the vulnerability could be in the database itself.

    Yes, that's what all of our "fix it the right way" links say; you need to check the database. Simply deleting posts or using band aids like replacing files will not completely remove the hack.

    You're on Dreamhost; you need to talk to them, too.

  15. alexalready
    Member
    Posted 1 year ago #

    @Songdogtech

    Thanks for your help.
    I'm working with dreamhost on it, they helped me identify some files i should remove.

    I found a couple of posts around asking me to search the db for specific files I should delete but my database didn't have any of those. Can you confirm what resource I should consult about cleaning the database?

    thanks!

  16. Read http://ottopress.com/2009/hacked-wordpress-backdoors/ Search for the spam words and base64 code.

  17. esmi
    Forum Moderator
    Posted 1 year ago #

    Did you read the resources listed above?.

  18. Ipstenu-DH
    DreamHost Rep
    Posted 1 year ago #

    Just as a point of explanation, the DreamHost scan is only scanning your files.

    http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php is probably the best 'How to de-pharma' site I know of, and it's not easy :/

  19. AndyB3ll
    Member
    Posted 1 year ago #

    The hack is in a WP core file! Can't blame it on updates - always updated.

    Very doubtful.

    - This is a nice way to call me a liar - I posted to be helpful and with much detail.
    To fill in some detail we (myself and another person) started to build the website http://www.alabamahabitat.org in October and posted it live on February 19th during that time we worked on the site several times a week. (Prior to that I have 2 other wordpress based sites http://www.alabamarestore.com and http://www.alabamahabitat.org/greenteam) both have been live for some time and not hacked. So while not on the site everyday were on one of them frequently enough to see updates and push them through, it is after all a 5-10 second process. In that time there have been 3.5, 3.5.1 and 3.5.2, not many. And there are at most 3-5 plug-ins on any of the sites (and several of them, but not all, are the same).

    The other sites have allowed users to register and comment. the hacked site has never allowed users to register and comment and there have only been just 3 persons ever to log in and post and only 4 accounts total.

    - - -
    All the security advice on the web is outdated for the current round of attacks.

    Where exactly have you been looking and what have you been reading?

    Every single link on this page and many others - from searching the db for key terms (never found) to files in plug in folders (never there). The other points - your stuff is outdated (not) and user error.

    So fine I will take the user error - perhaps there was something. BUT the point is everything listed as "this is it" - are not it. I listed the compromised files - are they in any of the links?

    I gave specific file names - are these names or locations mentioned in any of the referenced articles? No. So my assertion that the web based advice is out of date is true. Does this mean there is only one kind of hack out there? No
    Do hacks change and improve over time? Yes Do you update your 'virus' protection regularly? Yes.

    And yes this is a ding on the WordPress core files. Several security scanners readily identify that the cor WP file wp-includes/general-template.php has been altered. If there is not reason for any person or plug-in to alter this file, why is it not a 'protected' file?

    To just back all the issues back to the users is not a winning strategy that Microsoft recently gave up on and decided - yes virus and malware protection is something the OS should handle - not be left to a third party.

    So if the most common hacks rely on - standardized wp_ table prefixes? Why is this not randomized (or user selected) for new installations? This should be easy?

    Why leave user #1? Why admin as a default user?
    Why have default WordPress database table prefix?
    Why have wp-content, wp-includes, wp-admin always with the same name?
    Why keep the urls for WordPress dashboard including login and admin as the same default?

    The more of these that are variables chosen at install, the more secure the site is from cut and past hackers, virus, worms and trojans, especially the older ones.

    Of course you can't make everything a variable - but if plugins like better WP security can, why are at lease some of these not baked in to WP directly? (Or is this just security theater, to make users feel better, like they have done something, when they haven't?)

    For that matter... in the Famous 5 Minute install it gives the barest lip service to security and then only "For maximum security, use two different sets of 4-6 random characters. Then the password field has a "Random" button that generates an 8-character password. You may also add more characters to the password for maximum security"

    Which very much gives you the impression that WP is much more secure than it really is. Why not start the installation with a suggestion / information about security? Best practices for a WP install are...

    So while I was attempting to 1 - let another user know their site is compromised and 2 - that is was a different hack than mine and 3 - the clear your hack advice referenced and found did not address my particular hack - I was called out as a liar. Nice.

    If someone here wants a copy of our database and wants to look at it for hacked code, for the benefit of our site and the world in general as this appears to be a different attack than those prior. Ask away.

    I mention the urls and log-ins because since I have enabled Wordfence's lock out unknown users on the first attempt; over the last 4 days there have been three attempts from Chinese IPs to log-in or post with unknown usernames including 'admin.' Sounds like a WP issue? Everyone knows where the 'door' to the website is found.

    So I am attempting to post helpful information. Perhaps not always worded the best - it has been a 'learning' experience - and the hope that someone else can resolve this more recent hack with less than 48 hours of digging and frustration.

    And for all the suggestions that I "read the resources listed above" - Let me ask Did you read my post?

    Let me restate #6
    6. when not hacked the wp-includes/general-template.php file is ~76 kb when hacked is ~177kb

    - The contents of the hack is an enormous stack of encrypted code. Perhaps there is more - but the file with the code manually deleted in cPanel and the file "restore" from the WP installation files are the same... so I think that is all the 'bad' code for that file. Does that help?

  20. AndyB3ll
    Member
    Posted 1 year ago #

    Let me extend this conversation about admin user and log-in security.

    First our website went live mid-February and it was mid-April when I noticed out bandwidth quadrupled overnight, that led me to looking at what was different and the discovery of the hack.

    Wordfence has a feature to lock out IPs with invalid usernames. I installed this and as noted above have had 3 attempts in 4 days one of which was to the now non-exsistent admin account.

    So I have ramping up the security on the other non-hacked sites. I also dumped the admin account and installed Wordfence.

    This morning Wordfence shows that alabamarestore.com has had many hundreds if not thousands of attempts to login to the non-existent admin account over the last 48 hours. The other blog is begging to look the same.

    Here is a picture

    http://www.flickr.com/photos/asbpics/9183875115/sizes/o/

    So probably the alabamahabitat.org site was compromised by a plain old bruteforce attack. I did not set the admin passowrd, but my guess was it was not very strong as it only took less than 2 months find.

    So again: the popularity of WordPress + the default log-in url + the default user name admin + no automatic lock out after failed log-ins = not so secure.

    A stronger password would have kept the hack at bay as clearly it did for the other 2 sites. So there is some user error, yes, there are some basics not taken care inside the default WP install in my opinion.

  21. art-by-ajil
    Member
    Posted 1 year ago #

    @AndyB3ll, thanks for mentioning WordFence. I came to support for a totally different reason and got intrigued by this thread. I am currently uploading WordFence as I type this :). I would have thought that WordFence would have been a featured plugin. Not to knock WP, but there almost seems to be more of an interest in whistles and bells. Security like WF offers should be more than just an optional plugin.

  22. Ipstenu-DH
    DreamHost Rep
    Posted 1 year ago #

    Speaking specifically to this hack, it's not a sever vulnerability. And if it's the files, deleting them all and reinstalling is what we, at DreamHost, suggest: http://wiki.dreamhost.com/WordPress_Hacks

    Can you confirm what resource I should consult about cleaning the database?

    Cleaning the DB is hard. It just is. It's a pain in the tush to scan it, because of how serialized and encrypted data might be stored :/

    http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php I mentioned becuase it explains exactly what's going into this and why it's messy.

    http://wordpress.org/plugins/exploit-scanner/ claims to scan the DB, but I've never used it. That said, it's by a guy I trust with my site's health, so I would use it, if you're not totally DB brilliant (I'm not ;) ).

  23. alexalready
    Member
    Posted 1 year ago #

    What I ended up doing:

    1) uploaded fresh WP install via FTP to new.domain.com
    2) downloaded the images from wp-content/uploads to a local hard drive
    3) re-uploaded all the images to the /uploads folder on new.domain.com
    4) configured the new wp-config.php in new.domain.com to connect to the same database as the current site
    5) renamed domain.com folder to old.domain.com
    6) renamed new.domain.com folder to domain.com
    7) installed fresh theme files and fresh plugins
    8) installed better WP security and followed as many recommendations as possible http://bit51.com/software/better-wp-security/

    So far this SEEMS to have resolved the hack. However, if the back door is in the Database - we may get hit again.

    Since I've done this i'm getting 10 - 15 emails a DAY from Better WP security saying that many different IPS are being banned because they are trying to login multiple times - so I guess we are still under "attack". The emails look like this:

    A host, 24.114.255.3(you can check the host at http://ip-adress.com/ip_tracer/24.114.255.3) has been locked out of the WordPress site at http://braisedandconfused.com until Tuesday, July 2nd, 2013 at 1:33:29 pm UTC due to too many attempts to open a file that does not exist. You may login to the site to manually release the lock if necessary.

    They keep using different IP addresses so the ban doesn't seem to solve the issue. Not sure what else I should be doing to prevent this from happening again. I changed all of our passwords to very secure codes and followed better WP security recommendations

  24. alexalready
    Member
    Posted 1 year ago #

    I tried the exploit scanner plugin but it doesn't seem to work for me

  25. Ipstenu-DH
    DreamHost Rep
    Posted 1 year ago #

    Yes, what you did is, bar none, the most effective way to clean out this hack.

Topic Closed

This topic has been closed to new replies.

About this Topic