WordPress.org

Ready to get started?Download WordPress

Forums

Spam content and links got inserted into my blog posts (7 posts)

  1. LonelyPlanet
    Member
    Posted 3 years ago #

    I had built a couple of websites at a reseller account with a webhost using wordpress version 3.0.1 last year in september and then left them. I updated one of the websites to wordpress 3.1 too a few days ago with all plugins also updated. But today when I checked the websites I saw that there was spam inserted into the blog posts. I have been clearing the second website and removed the spam manually but you can see the spam in the second website at:

    http://supercute.org

    As you can see the hacker has inserted the links directly into the posts and when I edited the post from my admin backend then I saw there was no post revisions since September which would mean that the hacker did not insert those links from wordpress admin backend but must have done through some other way. These are not some of my biggest websites but I am very worried about the spam now as this was directly inserted into the posts even without editing the posts. Does anybody have idea as to how the spam content link and content was inserted into the post and how can I stop it from happening again. I tried using the wordpress antivirus, wp security and bulletproof security in the first website but the scans did not reveal any virus too. Both the websites were on the same reseller account at the same host and it has only happened in that webhost. Both the websites were also using themes from the same wordpress premium theme provider but his themes should not be a problem as he is one of the biggest theme providers online.

    The common plugins used in both the websites are:

    Google XML Sitemaps, Remote Images Grabber, SEO Friendly Images and SI CAPTCHA Anti-Spam.

    I am not sure how and where this spam came from and got inserted inside the post contents. Please help and it would be highly appreciated.

  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. LonelyPlanet
    Member
    Posted 3 years ago #

    Thanks esmi. I have already rolled back the websites from a previous backup and I have also secured the website as best as possible. But I am still wondering how the hacker inserted those spam into the post content when all files were with secure chmod permissions. My database passwords are also very tough and I generate it using the random generator always and so anybody assuming the SQL database password is also highly unlikely. Thanks anyways for your help and I will soon upgrade as well as secure and harden all wordpress websites irrespective of the hosting.

  4. Daniel Cid
    Member
    Posted 3 years ago #

    Check your permissions. If you are on a shared server, double check them :)

    As far as the links inserted, were those the ones (from basicpills)?

    http://blog.sucuri.net/2011/03/link-injection-basicpills-com-and-blackhat-seo-spam.html

    Btw, where do you host it?

    thanks,

  5. LonelyPlanet
    Member
    Posted 3 years ago #

    All permissions were 644 for files and 755 for folders. There were no problem regarding that. The websites that were affected were at a reseller account at ScalaHosting.com

    I had four wordpress websites. Out of those two were normal websites with a few pages content and both of them were hacked and spam inserted into the posts as mentioned above. The third site only had a single page and it did not have the spam. The fourth site was using a very different theme where posts could not be used through normal add posts but the posts had to added from special sections in the dashboard created by the theme. That blog also had a single post and nothing else and that was not affected too. So, maybe the attackers could attack only normal posts and nor special posts and could not also attack pages. But they were single posts in both case and so maybe the attacker thought that it is useless to hack the content for just a single post. Not sure about that.

    Regarding the links they were from several pharmacy related websites and had two links each inserted into every post. Those were different links like antibiotics, pills, cialis etc. but not only basicpills. They were mixed links from what I remember. I already removed them and deleted and recovered the websites from old backups. But they were pharmacy links for sure but not sure only basicpills. I am now worried about starting any other blog in that hosting as I do not want to create a website just to get hacked. I still feel that must have related to the webhost as all the websites were on the same reseller account on the same webhost.

    BTW I went to your site sucuri.net blog when searching in google for the problem. Very informative blog for sure.

  6. Daniel Cid
    Member
    Posted 3 years ago #

    Btw, posted some a clean up script to go through all posts and remove the spam links:

    http://blog.sucuri.net/2011/03/solution-for-the-link-injection-spam-from-basicpills.html
    http://tools.sucuri.net/malware/helpers/spam-postremoval.txt

    Just rename to PHP, upload to your site and execute it from your browser.

    thanks,

  7. LonelyPlanet
    Member
    Posted 3 years ago #

    Thanks a lot dd@sucuri.net

    I have already rolled back all the affected sites to previous backups and secured and hardened them.

    But I just checked your list and I remember that the anibiotics-shop link was there for sure. Just thought of informing you as you asked me previously what were the links. I surely remember that link but not sure about basicpills though it might have been also one of the links. One more was cialis or something. Thanks for the script anyways. Hopefully it will help others and will help me too in case I face the problem again.

Topic Closed

This topic has been closed to new replies.

About this Topic