Support » Fixing WordPress » Blog post replaced by spam

  • Resolved morshus

    (@morshus)


    A few minutes ago I discovered that an extra post had been added to my WordPress blog by ‘admin’ yesterday evening, titled “1” with viagra spam as content. But even worse was that the content of my most recent post, which I had posted as ‘admin’, had also been replaced by this spam.

    Has anyone any idea of what is happening here? Have I been hacked, or is someone maybe exploiting the “Post via e-mail” function? (which I have disabled now, just in case)

Viewing 15 replies - 1 through 15 (of 22 total)
  • Jeremy Clark

    (@jeremyclark13)

    Member

    A check of your server logs should show you how it was done. First check your mail server logs for any messages sent to the wordpress account. Then check your web server logs for any suspicious activity.

    Moderator Samuel Wood (Otto)

    (@otto42)

    Also, regardless of what happened, change all the passwords. The WordPress passwords, the passwords on the database, your FTP account passwords, everything.

    Len

    (@lenk)

    Search your blog carefully as I found more. Take a look at the post Merry Christmas from Dec28, 2006 and then look at the source code.

    whooami

    (@whooami)

    Member

    I would love a full list of your plugins (the actual names of the plugins), your plugin directory is browsable but some of them are unidentifiable.

    Someone, somewhere, has to start looking at the commonalities between the recent 2.3.2 attacks. Ive even been tempted to set up a wordpress honeypot.

    If you follow jeremy’s advice, the output of this would also be helpful:

    cat access_log | grep -r 'wp\-*?\?*?=http://'

    and youre really only interested in the last 10 or so lines of output if there happens to be alot.

    morshus

    (@morshus)

    Thanks for the quick replies. Although I am not good at reading these access.logs, it seems like somebody with a russian speaking version of Firefox has been inside my wp-admin area, posting and editing posts.

    213.184.224.30 – – [30/Jan/2008:18:09:06 -0800] “GET /wp-admin/post.php?action=edit&post=19 HTTP/1.1” 200 5390 “http://www.morshus.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11”

    Gee thanks LenK – I was actually wondering why that post (19) was mentioned in the access log!

    I have these plugins activated: Akismet 2.1.3, Executable PHP widget 1.0, Extended Comment Options 1.1, FAlbum 0.7.1, Google Sitemaps 2.7.1, , wp-cache 2.1.2

    whooami

    (@whooami)

    Member

    thats a start, if you like I would LOVE a copy of your access logs.. ANYHTHING you have available.

    Ill go through them with a fine tooth comb.

    Feel free to zip them up and send them off to whoo AT whoo.org

    morshus

    (@morshus)

    thanks whooami, the log from that particular day should be in your inbox by now. I unfortunately don’t know how to do that cat access_log thing.

    whooami

    (@whooami)

    Member

    yes I got it thanks.. Ill email you back privately with anything I find, and obviously let anyone else know if theres something that looks specifically “WP suspicious”

    whooami

    (@whooami)

    Member

    fwiw, theres nothing in those logs that point to HOW your password was retrieved, ie, there arent any odd gets or posts, or calls to unusual files.

    I suspect that there might be more info in the previous logs..

    and also, that IP .. its a proxy, not surprisingly.

    morshus

    (@morshus)

    FYI, my admin password was the one I got from the system when I created the blog. Old, but not incredibly easy to figure out.

    I don’t keep the password it gives. It only uses lower-case letters and numbers. Create a new one with something odd, like spaces or punctuation. Make it a complete sentence, or even a mathematical formula.

    whooami

    (@whooami)

    Member

    Otto, so Im looking through 5 days of logs, I see 2 attempts at RFI attacks.. the server returns a 503 on both

    seconds later, theres a hit to /wp-login.php?action=register with no additonal http_gets tacked on, and then a few seconds after that a hit to /wp-login.php?action=lostpassword

    all the same IP, another proxy.

    sure would like to know what the content of the http_post was.

    this person looked around too, browsed the images, spent about 5 minutes on the site.

    Moderator Samuel Wood (Otto)

    (@otto42)

    Forward me the relevant piece of the log, whoo. otto at ottodestruct.

    morshus

    (@morshus)

    By the way, I don’t think it has anything to do with the “Post via e-mail” function. I forgot when writing the initial post here, that my “Post via e-mail” address also forwards to another e-mail address of mine, which has received no e-mails lately. I tried to send a test e-mail right now, and yes it forwarded it as expected.

    whooami

    (@whooami)

    Member

    fwiw, I have started logging ALL $_POST variables sent to my blog (with some obvious filtering of sensitive data).

    IF there is something being sent that way, Im sure to catch it.

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘Blog post replaced by spam’ is closed to new replies.