Viagra spam injected for googlebot

  • daggerbox

    (@daggerbox)


    13 years, 2 months ago

    My blog has been hijacked so that it presents drug text to googlebot. It replaces my post titles and inserts drug names in the text. Some are linked to various innocent-looking sites, which I’m guessing are clients of some malicious SEO firm. Is there a name for this kind of attack?

    I upgraded WP from 3.0.2 to 3.0.5. Everything looks clean, but the problem persists, as seen by setting useragent to googlebot. Research I’ve done has only turned up rather explicit php/js injections which I’ve been unable to find on my site, so maybe this is something newer and eviler.

    I guess I’ll have to start fresh from backed up content, but I would like to figure out what’s going on. Anybody seen anything like this? Here’s what the content looks like to googlebot:

    Buy Viagra No Prescription
    December 5th, 2010

    I can be found walking Stella along the trails of Duke Forest Buy Viagra no prescription, almost every week-end. Last week-end Bonnie joined us with her camera for the occasion of Stella’s second birthday, buy no prescription Viagra online. Viagra over the counter,

    site is http://www.forthgo.com/blog/ if anyone wants to try it with useragent set to googlebot.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Mark / t31os

    (@t31os_)

    13 years, 2 months ago

    Well as far as i can tell there’s no nasty JS files lurking in the page, but there’s definately been a comprimise of your sites security.

    Start here.
    http://codex.wordpress.org/FAQ_My_site_was_hacked

    NOTE: It’s no good upgrading after getting hacked, at that point it’s too late already, upgrades do not fix hacked installations.

    Thread Starter daggerbox

    (@daggerbox)

    13 years, 2 months ago

    Thanks for looking. I was thinking the upgrade would at least give me fresh clean copies of all the PHP/JS files. That does seem to be the case, based on a folder compare with a fresh download. The only differences were:

    • plugins, now disabled
    • themes, now deleted except for 2010
    • .htaccess, deleted then restored after post urls broke
    • uploaded images files (I know code can be hidden here, but surely a real code file is needed to access it).
    • wp-config.php, only 1 secret key instead of 7 but calling same wp-settings.php
    • 16 misc files, mostly in tinymce and swfupload, now deleted

    Still compromised. Could it be something in my host’s apache setup that got hacked? (Though my non-blog pages aren’t compromised.)

    I don’t see anything strange in the database, but code can’t be initiated from there, can it?

    Thread Starter daggerbox

    (@daggerbox)

    13 years, 2 months ago

    A fresh copy of WP removed the infection. I still don’t know what the problem was since I haven’t identified any difference between the old and new files.

    Thread Starter daggerbox

    (@daggerbox)

    13 years, 2 months ago

    It was the WordPress Pharma hack.

    Thread Starter daggerbox

    (@daggerbox)

    13 years, 1 month ago

    This infection came back this week, even after updating to WP 3.1. I followed all the clean-up steps including the step for setting up a Google Alert which notified me.

    Looking at the logs, I see some suspicious posts.

    “POST /blog/xmlrpc.php HTTP/1.0” 200 483 “-” “The Incutio XML-RPC PHP Library — WordPress/3.0.4”

    “POST /blog/wp-login.php HTTP/1.1” 200 3437 “http://www.forthgo.com/blog/” “Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9”

    “POST /blog/wp-content/themes/classic/functions.php HTTP/1.1” 404 4451 “-” “-“

    “POST /blog/wp-content/plugins/syntaxhighlighter/wp-syntaxhighlighter.php HTTP/1.1” 200 189 “-” “-”

    I assume the login attempts failed since they weren’t followed by access to admin pages like my logins are. The classic/functions post failed because I removed that theme. I did have syntaxhighlighter installed, so maybe that was the entry path.

    Question: is it possible for me to log the POST data so I can see just what is going on with those suspicious posts in the future?

    xheels

    (@xheels)

    13 years, 1 month ago

    we are speaking here about the problem: http://wordpress.org/support/topic/website-hacked-3/page/2?replies=51#post-2006163. Please, participate with us..

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Viagra spam injected for googlebot’ is closed to new replies.