WordPress.org

Support

Support » How-To and Troubleshooting » SEO meta data hijacked / hacked by spam

SEO meta data hijacked / hacked by spam

  • alexalready
    Member

    @alexalready

    Recently noticed that some of my blog’s meta-data (category titles and post meta title / description) seems to have been hijacked or hacked by spam.

    example screenshot: http://i.imgur.com/I5vEx.png
    example google results: http://www.google.com/search?q=braised+and+confused

    The links still seem to go the correct pages, but the meta title and text seems to have somehow changed to spam for viagra etc.

    Anyone have an idea how I can track this down and fix it?

    Do I have to do a full reinstall? =(

    I haven’t backed up the database in maybe 3 months.

    Thanks in advance for any ideas or help!

Viewing 15 replies - 1 through 15 (of 24 total)
  • Matt
    Member

    @mattjacoby

    I’m having this same problem with one of my sites right now as well. I’m investigating the plugins I have installed to see if one of those have been compromised. Do you have a list of plugins you’re using? I’d like to compare and try and narrow it down.

    Mark Ratledge
    Forum Moderator

    @songdogtech

    Spam hacked. See http://sitecheck.sucuri.net/results/braisedandconfused.com

    Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress « WordPress Codex. Change all passwords. Scan your own PC.

    Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting

    If you can’t do the work yourself, consider looking for a reputable person to fix it correctly on jobs.wordpress.net or freelancing sites such as Elance. (It’s not a good idea to respond to unsolicited emails from forums users offering to work for you.)

    alexalready
    Member

    @alexalready

    Hey Matt,

    Sure. Here is a list of my plugins – let me know what you find.

    Active plugins:

    Akismet
    Flickr Gallery
    Google Analytics Tracking Code Embeder
    Lightbox Gallery
    Post Thumbnail Editor
    SEO Facebook Comments
    Social Slider by ARScode
    Twitter Facebook Social Share
    WordPress SEO

    Inactive plugins:

    AJAX Thumbnail Rebuild
    All in One SEO Pack
    blibahblubah
    Facebook Comments for WordPress
    fbLikeButton
    Hello Dolly
    Lightbox 3
    Open external links in a new window
    Picasa Album Uploader
    Random Redirect 2
    Taxonomy Dropdown Widget
    Twitter for WordPress
    WP Photo Album
    WP Picasa LightBox

    Matt
    Member

    @mattjacoby

    Hey Alex,

    Looks like the only one we really have in common is Akismet. I was using Platinum SEO Pack, but I disabled it with the idea of upgrading to WordPress SEO by Yoast soon (started changing all my sites to that this past spring).

    I came across this article about the Pharma Hack and it seems to be something I had, having found one of the database mods. I’m still looking for the file mods:
    http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php

    Also plan on adding some of these as well (in addition to what songdogtech recommended above): http://www.wptavern.com/top-5-wordpress-security-tips-you-most-likely-dont-follow

    If you figure out a solution, let me know. I’ll do the same. Thanks!

    alexalready
    Member

    @alexalready

    Hey Matt,

    I really like the way the pearsonified tutorial is written – easy to understand. However I think it may be outdated as I was not able to find any of the naming conventions he mentioned in my plugins folder, nor was I able to find the values he mentioned in my database.

    I thing I don’t understand is: if the file mods can have any naming convention and I simply have to look for ANY php file that looks “innocent” and suspicious – doesn’t this search become next to impossible? And how can I verify once i open a suspicious php file that it is indeed a hack? The examples he posted don’t even have the base64 or eval calls.

    looks like it’s going to be a long process =(

    thanks for posting – let me know if you find anything new

    Matt
    Member

    @mattjacoby

    Hey Alex,

    All good questions I don’t know the answer to. 🙂 I haven’t found any suspicious looking files yet either, but since I did find one of those database entries, it gave me a little hope that I was on the right path. But yes, the article could be dated since it was from 2010, I think.

    I haven’t gotten back to that site yet (other sites to work on too), but if I find anymore I’ll happily share.

    Thanks!

    alexalready
    Member

    @alexalready

    Update:

    I found out on another forum that my hosting provider (dreamhost) is able to support fixing the pharma hack

    I emailed them last night and they have run an automatic scan of all my files.

    They also quarantined the files that were clearly hacked – giving me the final say to delete them.

    Looks like they found and removed most of it and have listed off all possible entry points and which files i need to remove myself!

    So lesson is: check with your hosting provider they may save you a lot of time and trouble!

    Matt
    Member

    @mattjacoby

    Hey,

    I’m jealous! lol That was easy for you. Unfortunately, I’m kind of on my own. We use Media Temple, which is more self-managed and I’ve been through this a couple times with them already and they offer some suggestions but don’t really offer to give me the full scan and assistance treatment.

    Do let me know if there are any files from your Dreamhost list that need to be removed in maybe Akismet or another plugin that could give me some ideas as to where I might find mine.

    Thanks!
    Matt

    Your host may have helped and you are not longer promoting
    but your site is not healed.
    https://www.google.com/search?q=braised+and+confused
    Google shows it as compromised

    I have been back and forth with this pharma hack particularly viagra for several months. I though it was settled, but not really.

    Here is what I found:
    1. sucuri is not that helpful as it shows your site as clean. Perhaps the title is clean but your site is still hacked.

    2. the hack modifies the
    wp-includes/general-template.php
    to insert encrypted code

    3. also links to a file .xml in the root folder (so this is also an ftp(?) hack

    4. and populates
    wp-includes/js/jcrop/index.html
    wp-includes/js/jcrop/paybepuezwdhtgq.php

    5. key clue is the 3 wp-includes files all have file date times of Oct 12, 2012 5:42 PM

    6. when not hacked the wp-includes/general-template.php file is ~76 kb when hacked is ~177kb

    7. deleting the code from inside or restoring the general-template.php would only last a short time I found about 5 minutes. Once I deleted the .xml file it no longer could insert the two helper files – but the website is ‘broken’ only the homepage works. Restoring the general-template.php fixes it.

    8. I went into the cPanel interface and marked the general-template.php file as read only.

    9. http://www.botsimulator.com/
    Is very helpful in seeing what the bots see.

    And our hack is not the same as the one alexalready is suffering as his posts are compromised. WOW!

    – – –
    This is a major ding on WordPress IMHO.
    I have used wordfences and better WP Security

    wordfences is nice in that you can see the live IP addresses hitting you site and block them

    I have literally spent days on this – and while not a web programmer (I have done quite a bit of Visual Basic and VBA.) So I am not a noob, but this hack is crafty work.

    Our site had reasonable security from the start and now is had both plug ins and my efforts at full tilt for the last 3 days and at best I feel I have only held it at detente.

    The hack is in a WP core file! Can’t blame it on updates – always updated.

    Another day or two and we will probably migrate to another platform. For the time wasted on this, could have been spent much more productively.

    Yes – I did all the tips mentioned about including the htacess
    NONE of that helped. All the security advice on the web is outdated for the current round of attacks.

    Mark Ratledge
    Forum Moderator

    @songdogtech

    @andyb3ll; responding to an 11 month-old thread is not very helpful.

    Just because that site referenced above is still hacked means the owner hasn’t done anything with it, not that WP has an ongoing vulnerability.

    What is the URL of your site? Who is your web host? What server OS?

    This is a major ding on WordPress IMHO.

    You don’t understand the difference between a hack of WP due to a WP vulnerability and a hack of WP due to server vulnerabilities.

    The hack is in a WP core file! Can’t blame it on updates – always updated.

    Very doubtful.

    Another day or two and we will probably migrate to another platform. For the time wasted on this, could have been spent much more productively.

    You’re blaming the messenger, not the message.

    All the security advice on the web is outdated for the current round of attacks.

    Where exactly have you been looking and what have you been reading?

    alexalready
    Member

    @alexalready

    Within the last 11 months I fixed the first hack and now I’ve been hacked again. Every post on my site has meta-data linking to viagra sites and I’ve been notified by google webmaster tools about it.

    I’ve paid for Securri and they were not able to fix the issue. I have a dozen different blog posts with ideas on how to fix it and none of them reproduce the same hack that I have.

    I’m currently trying to delete as much from my server as possible and do a fresh wordpress install to connect to my database.

    From what i understand, this might not even solve the problem because the vulnerability could be in the database itself.

    This has been a totally demoralizing experience.

    esmi
    Forum Moderator

    @esmi

    Mark Ratledge
    Forum Moderator

    @songdogtech

    @alexalready said:

    this might not even solve the problem because the vulnerability could be in the database itself.

    Yes, that’s what all of our “fix it the right way” links say; you need to check the database. Simply deleting posts or using band aids like replacing files will not completely remove the hack.

    You’re on Dreamhost; you need to talk to them, too.

    alexalready
    Member

    @alexalready

    @songdogtech

    Thanks for your help.
    I’m working with dreamhost on it, they helped me identify some files i should remove.

    I found a couple of posts around asking me to search the db for specific files I should delete but my database didn’t have any of those. Can you confirm what resource I should consult about cleaning the database?

    thanks!

    Mark Ratledge
    Forum Moderator

    @songdogtech

    Read http://ottopress.com/2009/hacked-wordpress-backdoors/ Search for the spam words and base64 code.

Viewing 15 replies - 1 through 15 (of 24 total)
  • The topic ‘SEO meta data hijacked / hacked by spam’ is closed to new replies.