Support » Fixing WordPress » blogroll spam on WordPress 2.3

  • I am fighting a new form of spam on my blog. Just when I think I’ve got things pretty tightly locked the spammers find a new way. I’m getting spam in my blogroll.

    See for yourself (http://erik.weibust.net). I promise I’m not trying to sell male enhancement drugs from my site. It’s taken me 12 hours to be able to joke about this, as I was quite pissed when I saw the intrusion.

    Anyhow, I’d love some help on resolving the issue and was thinking this would be a good place to start looking.

    Some background on the problem. I was running WP 2.1 until last night. The first thing that clued me into the problem was I got an email about a new user on my blog on Friday. That freaked me out as I’m the only user, and I didn’t add a new user. So I login to the dashboard and immediately removed the user. I spent some time digging around my dashboard and didn’t see anything “fishy” so I thought I might be ok.

    Then on Saturday I noticed there was a whole bunch of spam links added to my blogroll. I immediately logged in to the dashboard and removed the links. Then I checked the users tab, expecting to see a new user, there wasn’t one. I’m at a loss as to how the links got added without a login to my blog. To be safe I changed my WP admin password.

    Sunday the spam was back. I didn’t know what else to do, so I upgraded to WP 2.3 hoping that would help. No dice. Now I have a very generic blog, with a crapload of blogroll spam.

    Please help. I’m guessing the next step is to change the passwords for my db user and my ssh user. I can’t change the password right now, I’m at work and can’t get through my work proxy to the servers. I’m making the password change as soon as I get home.

    I’ve checked the sidebar and it looks clean. I program, but not in php, so I’m not 100% sure the sidebar is good. That said, I’m fine with deleting my sidebar and downloading/installing a new one, as I’m now running a completely stripped down template.

    What else should I do/check?

    Thanks…

Viewing 15 replies - 1 through 15 (of 43 total)
  • whooami

    (@whooami)

    Member

    Are you absolutely confident that those links were added AFTER your upgrade?

    I ask because there was an issue with an earlier version, but that should have been taken care of with 2.3.x

    If it were me, at the VERY least, i would email security@wordpress.org and include any information you can.. server logs, etc..

    whoami, thanks for the quick respone.

    I am absolutely, 100%, sure the links were added after the upgrade. As a matter of fact. I just now deleted the links. I bet within the next couple hours the blogroll spam links will be back.

    I want to make sure I’m clear on what’s happened.

    1. I *was* using WP 2.1
    2. Somebody added a new user to my blog
    3. I deleted the user
    4. Somebody added blogroll spam to my blog
    5. I deleted the blogroll spam
    6. Somebody added the blogroll spam, again
    7. I upgraded my blog to WP 2.3
    8. After the upgrade the blogroll spam was still present so I removed
    9. The blogroll spam was added again.

    I hope that helps clear up the timeline.

    I’m about to change my db and ssh password, so maybe that will help, otherwise, I’m expecting to see the blogroll spam.

    whooami

    (@whooami)

    Member

    well do keep us advised, I, for one, am very curious. and send off that e-mail as well.

    Here is my update…

    I changed my db and ssh passwords and I’m still getting the blogroll spam. I’ve emailed the security@wordpress.org address.

    I’m kind of at a loss of what to do next. I would love any and all suggestions. I’m not about to shut my blog down after 4+ years of postings, but I REFUSE to let it be hacked like this.

    Is it possible to pull out my posts and comments and start over knowing I haven’t been hacked? I have no problem with exporting my entrites/content and then deleting every file/db on my host and starting fresh.

    Erik

    Rename wp-admin/link.php to something else. That should stop it for now.

    Somebody else reported this on trac yesterday, it appears to be a legit exploit that is in the wild. Although I’m uncertain how they added a new user if you don’t allow registrations.

    http://trac.wordpress.org/ticket/4627

    I’m running WP 2.1.2 and have encountered the same problems since this past weekend. I’ll try the same solution tonight when I get home.

    My links page is here:
    http://ceffyl.net/wordpress/links/

    Details of what happened here: http://wordpress.org/support/topic/139049?replies=4#post-633352

    Otto42, thanks for the tip. I will try that as soon as I get home tonight (my company proxy blocks me from ssh’ing into my box).

    One other thing. My host, Dreamhost, said that there couldn’t be anything wrong on the mysql box, but they specifically said to NOT USE the plugins SimpleTags and Subscribe to Comments, so I have disabled those.

    So as of right now, the only change I’ve made is disabling all 3rd party plugins. Tonight I will rename my link.php file.

    Thanks… Erik Weibust

    I’m not using Subscribe To Comments, but I am using the Subscribe2 plugin. I’ll try disabling that.

    Note that that will, of course, break your own ability to add entries to the blogroll as well. But then that’s sort of the point, it’s just a temporary workaround until a patch is created.

    http://trac.wordpress.org/changeset/6256

    this fix has been posted recently

    Great feedback here. Thanks!

    I have two questions.

    1. How does one add a bug fix to an install? (sorry for not googling this before asking question)
    2. Do I still need to rename my links.php if I install this bug fix?

    1. You download the new, fixed, file and put it in place. There should be a link somewhere to download the new link.php file in “Original Format”.

    2. No, that would defeat the point.

    whooami

    (@whooami)

    Member

    Guys, a big fat THANK YOU, to everyone, for all the help. I’ve applied the new link.php to my site and things appear to be resolved.

    If I have any other problems I’ll let you know.

    Thanks…
    Erik Weibust

    GASP 🙂

Viewing 15 replies - 1 through 15 (of 43 total)
  • The topic ‘blogroll spam on WordPress 2.3’ is closed to new replies.