blogroll spam on WordPress 2.3 (44 posts)

  1. Dever
    Posted 8 years ago #

    Hi everyone, I've had the same problem with my blogroll being spammed (just renamed the problem file[s] for now).
    I just noticed that my "upload directory" in Admin > Options > Miscellaneous (that is in wp-admin/options-misc.php) was also changed to this string:

    To respond to westi:
    1.WP 2.2 for the moment.
    2.lots of plugins (too lazy to post them all, sorry)
    3.user registration is not enabled
    4.no new users found at the time I found the problem

  2. TH
    Posted 8 years ago #

    I have the same situation but it has nothing to do with version 2.3.

    I hadn't upgraded since 2.1.3 when I noticed this today. I then upgraded to 2.3.1 and of course it did nothing.

    The odd thing is that the blogroll in the sidebar includes one of my post categories ("Projects") that I have never set to be a link category. Yet the links count on the Blogroll/Categories page is my number of regular posts in that category + the number of spam links that only show up in the sidebar.

    If I delete this unwanted link category, I would think that my posts go as well since they are included in the count and the category in both places have the same ID.

    But who added "Projecs" as a link category? I have no users.

    Temporary solution: All spam I have is in this one category which shouldn't even be in the sidebar. Simply excluding it in the list makes the spam invisible.

  3. Binh
    Posted 8 years ago #

    Have you guys fixed the issue? If not allow me to say some opinions on this.

    The MySQL password is stored in the wp-config.php file, so there maybe some attempt to read this file from another file within the web folder. You may want to check the log that access wp-config.php. That file may even be using a "include" directive to get the settings.

    1. You should disable the POST request from external site to prevent all sort of similar attacks.
    2. Don't upgrade, "format" your website.

    Number 2, I mean: If normal upgrade doesn't work, you should backup the whole website, delete every single .php file on it and unpack the brand new WP v2.3.1 package.

    If you still don't understand what I mean then... imagine when your computer get virus. Most of the time the antivirus software is then disabled and the cleaning it is impossible. Then what you do is format the hard disk and install brand new Windows. This is simply another application of this issue. So ...

    Let me know if you fix it by my suggestion.

    That's it for now. I really need to go to bed ;)

  4. TH
    Posted 8 years ago #

    Hmmm. How do I disable the POST request like you suggest?

    I thought I had it beat but they're back and this time they haven't just added their links, they have DELETED every single link I have in every category!

  5. Vladimir Prelovac
    Posted 8 years ago #

    What is the official status of this issue?

    Today I have been "attacked" in a similar way, user has been registered on my system (I had user registration enabled but not visible on the blog, some one was deliberately targeting wp-register.php). I removed the user maybe 5-10 minutes after they were on the system and removed user registration.

    I am curious if they could have done some damage and what should I look for?

    Using 2.3 version.

  6. TH
    Posted 8 years ago #

    Let me stress that this is NOT a fault in WP 2.3. I had this in 2.1. It's just that most everyone has upgraded and since their upgrades are new and this phenomena is new, they assume that they are connected. They are not.

    My web host now has a post on their pages saying that not only WordPress but also Joomla and other CMS systems have been targeted in the same manner.

    They say that in most cases it is because the file configuration.php has been readable and even in some cases writable by others.

    I have now changed the permissions to make it unwritable, but WP doesn't work at all unless this file is readable to all. It needs to be at least 444. This is as you all know where the database password is openly written, and the database is where the links to the spam has been entered.

    My host's web page goes on to say that we need to change the MySQL password for the database. This I have done, but the new password is just as openly written in the config file as the old one.

    They also say that it is a good idea to upgrade to MySQL 5.x, but I don't know if WP will run smoothly on that? I remember there was sometalk about that a while ago, but I cannot find anything now.

    I'm starting to think that it's a weakness with the very construction of the WP configuration file system, having a password written in plain text like that. Someone has finally figured out how to make use of it and this can be the beginning of many other more serious attacks.

  7. dragonradio
    Posted 8 years ago #

    TH you are absolutely correct! I had this problem in 2.1, and I thought the 2.3.1 would help solve the problem, but it did not. I changed my .htaccess file, moved the password into another file-directory, and even took my links out of the sidebar. The SPAM is still coming in, but at least it is not being posted. However, none of my links can be posted now. I really hope WP can solve this soon.

  8. kimcameron
    Posted 8 years ago #

    I just got link spam after having moved hosts, reinstalling 2.3.1 from scratch.

    I have not yet upgraded to the link.php file mentioned above. Is this recommended?

  9. dragonradio
    Posted 8 years ago #

    i tried that as well with no luck. i suggest trying it yourself.

    Seems that it is being worked on as well:


  10. TH
    Posted 8 years ago #

    Anybody know if WP runs fine on MySQL 5.x? There is apparently a weakness in the 4.x generation which allows for this, something that kimcameron's move of hosts may (or may not) confirm.

  11. dragonradio
    Posted 8 years ago #

    My host is running:

    (3) Subject to our database resource usage policy. We are running MySQL version 5.0.45

    So I think that MySQL is not the issue as my WP is running on it.

  12. TH
    Posted 8 years ago #

    Ok. In any case there are supposedly security benefits from the 5.x generation, but I guess not in this case then.

    I'm reading that 5-scripts are following the same rules for write access as the 4-ones, but that they should not be writable for others (x-bit is not being sent).

    This means nothing to me as I am an idiot in all such matters, but it sounded clever I thought.

  13. dragonradio
    Posted 8 years ago #

    In the meantime, I am using the 'Default' category as a honey-pot and just trying to keep things hidden by not showing that category in my blogroll. There are some cool widgets out there that make that possible. I am using Morgan's Links and it seems to work well.

  14. jinge
    Posted 8 years ago #

    Is there any solution in the upcoming 2.5 ??

Topic Closed

This topic has been closed to new replies.

About this Topic