WordPress.org

Support

Support » How-To and Troubleshooting » [Resolved] is this some new spam attack?

[Resolved] is this some new spam attack?

  • I’ve been looking through the forums, googling my butt off, and can’t find anything that describes what I’m experiencing. And I need help getting rid of it.

    A while back one of my posts got compromised with spam — not in the form of a comment, or the post itself being edited, but rather this: the posts showed up normally on home page, but when you click a post title to go to the individual post (say, to leave a comment) you get a spam page. Not a bunch of spam links inserted into the post/page content, mind you, but a completely different web page hawking cheap drugs. However the URL is still the same URL as normal to view the post. This doesn’t start happening up right away after publishing the post, but some time a little later.

    The first time it happened, I figured it for a one-off deal, and promptly deleted the post and just copied its contents into a new post. But yesterday it happened again, so I thought I’d better take new measures.

    First, I was long overdue for an upgrade anyway (was still using WordPress 2.0) so I installed the automatic upgrade plugin and upgraded to the latest. Then I changed my user password and ssh/ftp password at my web host. Then I posted to the blog saying, in effect, “sorry about the spam thing, but I went ahead and did this and this and hopefully it won’t happen again.”

    This morning I find out it happened again — to that very post:

    http://nothinghappens.net — the home page, post looks normal
    http://nothinghappens.net/?p=316 — holy crap wtf

    Here are some more interesting details I’ve dug up: If you add a trailing / to the URL you get the post again instead of the spam site. Check it out: http://nothinghappens.net/?p=316/ However, before you tell me to check my .htaccess — I don’t have one. Also, I looked at the post’s record in the database via phpMyAdmin and nothing’s been done to it there.

Viewing 15 replies - 1 through 15 (of 35 total)
  • Read these:

    Security Issue, Multiple Sites

    (Scroll down to Ultrasonic’s post — he’ll tell you how to check for a ghost user that may have been added to your database.)

    Has Your WordPress Been Hacked Recently?

    Weird and Dangerous : ro8kfbsmag.txt

    As far as I understand, this kind of attack is the result of running an old version of WordPress. It will also get you delisted from Google.

    And goodness, I think you win the prize for running the oldest version of WP that I’ve seen so far:

    <meta name="generator" content="WordPress 1.2" /> <!-- leave this for stats -->

    That meta tag must be incorrect, I was using WordPress 2.0 until last night when I upgraded to 2.5.1 — as I just said in my original post. If you won’t bother reading it, I can’t imagine your input will be much help, since you’re probably giving me stock info without bothering to look at the specifics of my issue as explained… but I’ll check out those links anyway.

    RosieMBanks, that meta tag was hard-coded into the theme I’m using, I’ve changed it now to use the $wp_version variable.

    For the rest of you, please read carefully before “helping” thanks.

    Well since the attack happened prior to the upgrade, the rogue user info was already in the database. One big fat reason to upgrade. And .. although it’s too late now, I should mention for the benefit of any other readers on a very old (pre 2.0) version of WP, you CAN upgrade to 2.0.11, which is the only other supported, secure version of WP out there. 🙂

    But for you, Chuck, I guess you should dive into those database tables and locate and kill that other user. Provided he/she doesn’t show up on your User panel in the dashboard. Good luck. And beware the Grues. 😉

    I’ve looked at the database in phpmyadmin, there is only the one user (admin) in it, and I changed its password immediately after upgrading to 2.5.1 last night. Also mentioned in my original post. Thanks, though.

    You seem hell bent on people dutifully taking in the details of your post.

    Being as studious as you are, you must absolutely be kicking yourself at your own laziness and arrogance which allowed you the delusion that somehow security updates weren’t necessary for you.

    God that must really hurt right now.

    (by the way, I read about that in your original post)

    I’m not sure what you’d have us do for you now, though. If you happen to invent a time machine let us know. I’ll be sure to read that post in intimate detail.

    In the mean time, unless you’re busy wiping *everything* from your hosting space and reloading fresh copies of (again) *everything* including wordpress, themes and plugins, may I suggest you start there?

    Leave no file behind… but do backup any media contained in your posts.

    Also, your page that looks normal also contains lots of hidden links in both the header and footer. Although you have upgraded now to the most recent version, there a still one or more files that are hacked.

    Best advice is what Ivovic gave you: delete everything and reinstall everything from a clean source.

    Well you know, every thing I’ve read that contains suggestions about proper etiquette for posting to a support forum says to be specific and include details. So it’s frustrating when I take pains to do so, and people ignore them. If you’re not going to pay any attention to the information I’m providing to help diagnose the issue, don’t waste both of our time. And ffs don’t waste your own time replying just to try to bitch me out. Go do something productive.

    As I’ve pointed out, I made a long-overdue upgrade from 2.0 (NOT 1.2, that meta tag was hard-coded into a theme file and hence erroneous) to 2.5.1 last night. Until then, the labor involved in doing an upgrade was the main thing keeping me from not doing it sooner, until I found the automatic upgrade plugin — kudos to the fine folks who came up with that! As you probably know, the upgrade overwrites pretty much every WordPress file with the new versions, so it’s not far off from a complete reinstall. Images, media, and themes obviously are left alone.

    Immediately after doing the upgrade, I changed my user account password in WordPress and also my FTP/SSH password. But I repeat myself yet again. Shortly after doing this, the same spam-attack was made yet again.

    Yeah, if I had lots of time on my hands, I could wipe every single file as you suggest, but I thought maybe someone here would be able to help me narrow things down a bit so I could maybe focus on certain files and approach this in an efficient manner rather than a hack-and-slash one.

    Anyway I’m going to go have a look at the files in my theme.

    And ffs don’t waste your own time replying just to try to bitch me out.

    Well actually, I did offer you the only course of action likely to lead to a solution.

    Yeah, if I had lots of time on my hands, I could wipe every single file as you suggest, but I thought maybe someone here would be able to help me narrow things down a bit so I could maybe focus on certain files and approach this in an efficient…

    It’s far more time-efficient and effective to stamp out your problem, than it is to waffle around and squawk about alternatives which do not exist.

    Immediately after doing the upgrade, I changed my user account password in WordPress and also my FTP/SSH password. But I repeat myself yet again. Shortly after doing this, the same spam-attack was made yet again.

    let me see if I can be ultra-specific for you, since now you’re the one having trouble reading what’s been written for you..

    you didn’t get rid of the back door they left for themselves, therefore they were able to enter at their leisure

    If you don’t get rid of EVERYTHING in your hosting space, how will you know that they haven’t simply added some code to any of the php files you have uploaded there?

    Do you want to read them all? I sure as feh don’t.

    rather than a hack-and-slash one

    I told you to nuke it from orbit… you’re the one hell bent on hacking and slashing and ignoring the only effective advice you’re going to get.

    Want help? there it is (again)… don’t like it? not what you want to hear?… well, I can’t tell you how deeply upset that’s going to make me.

    Yep, this has gone beyond just “Oops, I really should get off my duff and upgrade so I don’t get hacked.” It’s too late for that now. Now you go into damage control and, unfortunately, that means that all the files on your server are suspect. But if you keep backups of your things on your hard drive (you do, don’t you?), it’s not that big a deal to just restore fresh files either from a known good back up (your server log files should give clues as to when the breach occurred) or from uncompromised files residing on your hard drive.

    A PITA, you bet. Upgrading on a regular basis seems like a walk in the park compared to that now, huh? Nothing learned like something learned the hard way. The end result, tho, should be that you’ll have a solid WP install. But as I’ve said many times over on this forum and elsewhere, you are only as secure as the most lazy, security-lax person sharing your server space. So plan around those idiots by keeping your software updated regularly.

    “If you don’t have enough time to do it right, when are you going to have time to do it over?”

    Here’s the thing: I’m not entirely convinced that this paticular attack involves changing any of WordPress’s PHP files directly. The weird behavior described where the post shows up normally if you add a trailing / to the URL seems to suggest there’s something else at work here, as does this: the spam page is still given by URLS that point to posts that I have deleted; also the upgrade I did last night should have replaced all WordPress’s own code with new files anyway… at least, the automatic upgrade plugin claimed it was doing so.

    If a specific PHP file has been modified however, a bit of exploration might turn up which specific file(s). Thus my main purpose in posting here was in hopes that someone has seen had specific problem before, and had found the PHP file, or whatever else (database record, .htaccess, theme files, etc) that had been changed and could point me to it.

    Wiping out and reinstalling Every. Single. File. will take a considerable amount of time, so I was hoping to leave it as a last resort, and start by seeing if I could find anyone that could narrow things down.

    See I program for a living. I don’t rewrite my entire code base from scratch every time there’s a bug. I’d never make a living that way. I try to find exactly where the bug is first. So this is just my natural approach to a problem like this.

    If you haven’t seen this specific problem before and thus can’t help narrow things down, then geez, just say so already. At least read enough of my description of said problem to understand what specific problem I’m having rather than just assuming it’s a common one that you have a stock answer for — in which case Google would have turned up information about already and I wouldn’t be bothering to post here in the first place.

    I’ve deleted the spam links that had got hacked into my header and footer files, that I hadn’t noticed before but were pointed out by someone actually helpful. That hasn’t done away with this particular problem however.

    Your problem is that you’ve been hacked. Unless you know how to interpret server logs, and apparently, since you program for a living, you must, the safest thing to do, to prevent further such attacks, is to upload clean files. You don’t take a bath and put dirty underwear on, do you? (Sorry, Whoo, I had to!)

    Here’s the thing: I’m not entirely convinced that this paticular attack involves changing any of WordPress’s PHP files directly

    I stopped reading here… he was right, I’ve got better things to do.

    Yes, you do. Please go away.
    I’m going to go look at some logs.

    Whoo is gonna be so disappointed…

Viewing 15 replies - 1 through 15 (of 35 total)
  • The topic ‘[Resolved] is this some new spam attack?’ is closed to new replies.
Skip to toolbar