SPAM Inserts into Blog Posts (24 posts)

  1. jberkowitz
    Posted 7 years ago #

    This HIDDEN code is being somehow automatically inserted into the CODE of my posts after I save my post and is then sending out porn links via the RSS feed.

    <font style="overflow: hidden; position: absolute; height: 0pt; width: 0pt"><!--4848-->

    How can I stop this from happening??

  2. whooami
    Posted 7 years ago #

    at the blog in your profile?

    How about reading your dashboard sometimes?

    How about upgrading from a version of WordPress that is nearly 1-1/2 years old?

    <meta name="generator" content="WordPress 2.1" />

    thats what your on.

    Its hard enough to keep up with ppl that have apparent security issues with the most recent version, much less ppl that cant be bothered to be responsible. If you cant take care of your site, what the hell do you expect?

    And yes, thats a vent, but ffs, folks, get a clue. If you cant do the work, the LITTLE bit of work it takes to upload some files, find someone that likes money, and pay them to.

  3. CognitiveCombine
    Posted 7 years ago #

    Perhaps I would not have said it as directly as whooami :) but I definitely agree. The longer you wait before upgrading the more exploits will come out that will threaten the integrity of your site. It's in your own interested to say up to date.

  4. oak-grove
    Posted 7 years ago #

    I too have this problem and thought that it was because I was behind a couple of revisions. I was on 2.3.1 so cleaned everything down and replaced it with 2.3.3 but I've still got the problem.

    Example: http://www.fulwoodfmc.net/podcasts/2008/03/02/the-tenants-andrew-gardner/

    It only ever changes the first post. It also changes the comments and ping settings off. If I clean the post down it comes back again within 24 hours.

    Is there something else I should be checking?

    Is there some other security settings I should be applying?

  5. fluttervertigo
    Posted 7 years ago #

    Guaranteed to be a long response, so if you aren't up to reading something long & boring, stop now. I will assert there aren't any bits & bytes, so it should be pretty accessible. (If anything is incorrect, please let me know. I hate using a dictionary or encyclopedia.)

    First, there are no perfect methods in any type of blocking certain things. The harder you try, the more delight some take to defeat systems. Companies spend a LOT of time trying to "protect" information such as music, movies, etc. If you can see it, and if you can feel it, it can be broken.

    Suits would prefer this outlook to be suppressed because it looks like they're telling everyone, "Come and get it!"

    There are two methods of resolving (nor nearly so) spam in blogs:

    1. Spam detector software

    2. CAPTCHAs ( Completely Automatic Public Turing Test to Tell Computers and Humans Apart ). Let's try to avoid using "CAPTCHA's".

    The former has two methods: 1) use a service geared for it; 2) Use what's known as a "Bayesian" detector/filter. Bayesian software works by being told what is spam and what is not. The more it's used, the "smarter" it becomes.

    If you want to sound impressive to others, Bayes was a Presbyterian minister ... in the early 1700s. Kind of strange how a religious leader from 300 years ago has work which is important in today's world. That overshadows another math wizard as Evariste Galois died in a (gun) feud (seriously) in the early 1800s, just a bit beyond the age of 20. His work continues to find more & more (and more) new ways to deal with his work.

    CAPTCHAs are the funny little boxes with colors, hash marks, etc. which are intended to baffle software because people can read it and computers cannot. You just enter what you believe it to be and it compares with the web server.

    I've pondered using either on a random basis. It won't fix everything. But I'm just curious as to what happens.

    CAPTCHAs aren't foolproof. Some spamming services pay people to interpret them for a particular fee. (see "squat") The desired message is pasted and submitted. One could think "manual spam." But if sites are noted to have a particular "profile" which can be logged & used at will, I have no doubt this would be another way to compromise blogs automatically.

    I've stepped back from the "anti" (anti-spam) and where blogging fits in. But there are two parties who can sue spammers: ISPs and SAGs (State Attorney General). You'd think it was taboo to do it. ISPs would definitely raise the profile of that ISP -- potentially steal some customers with the knowledge they are going to (legally & financially) make someone pay. As for a SAG, it's been interesting to see how elections are handled. The Indiana SAG spent the entire campaign bragging about what he'd done to support the DNC (Do Not Call) phone list. It's more stringent than the federal level. Had he had the stones to do it, he would take on spammers. I don't think people would look at the other candidates, as this alone would make people happy.


  6. whooami
    Posted 7 years ago #


    You apparently missed the point of the thread -- this isnt about normal "spam" its about sites being exploited and spam inserted into the databse via the exploits.

    captchas aint gonna do jack for that.

  7. oak-grove
    Posted 7 years ago #

    I noticed a couple of security things that I could tighten down on - mainly stopping self registration and deleted some suspicious user accounts, so have cleaned up the entry highlighted previously. We'll see what happens.

  8. TimU
    Posted 7 years ago #

    I have exactly the same problem.

    Hidden porn links were inserted into the code of recent posts and the comments and ping settings are switched off. I also noted that a new Administrator user was set up (which I have promtly deleted).

    I thought it was because I was using an older version, but I upgraded an still get the spam porn links inserted into my posts.

    Any idea how to stop it? Or is there at least a common IP address that all these attacks originate from, which I can get my host to block?

  9. oak-grove
    Posted 7 years ago #

    Since removing self registration I have not had the problem. Might be a good thing to try if you don't need it.

  10. TimU
    Posted 7 years ago #

    I have never had self-registration enabled but I still have the problem.

  11. rachelleb
    Posted 7 years ago #

    I upgraded to WordPress 2.3.3 last week because I was having this issue and it ended up making my site inoperable both on the front (rachelleb.com) and the backend WP.

    Now today my friend alerted me that I have spam in my feed and sure enough, there's the spam in my post.

    Example here: http://www.rachelleb.com/2008/03/13/mekong-river-on-6th/

    You can't see the spam while viewing the post, but if you do "view source" you'll see it in the code. It also displays in feed readers.

    I've tried to read through these threads and most people are saying to upgrade to the must recent WP installation.. which I have done.. I don't know what else to do. Again, this is spam INSIDE posts, not comment spam.

  12. rachelleb
    Posted 7 years ago #

    just to clarify, it was the spam, not the upgrade that was making my site inoperable. i'm afraid it's going to go down that path again..

  13. macsoft3
    Posted 7 years ago #

    Is your hosting company Dreamhost? Perhaps, you may want to consult them about server security. There are many simple security measures. And I can't list them all here.

    By the way, your wp-includes folder is wide-open. Its content is viewable.

  14. rachelleb
    Posted 7 years ago #

    macsoft3 - thanks for your reply.

    Dreamhost is my hosting company. I will contact them.

    What is the suggested setting for wp-includes?

  15. whooami
    Posted 7 years ago #

    ALL directories should be chmod 755.

    If you do not want your directories to be browsable, create a an empty index.html on your desktop and upload it to those directories you dont want to be browsable.

  16. rachelleb
    Posted 7 years ago #

    Thanks for the tips, whooami.

    I checked my settings in my ftp client and my wp-includes directory was already set at 755. So I created the blank index and uploaded it.

    I will also check the settings on my other directories and create the blank index files, if needed.

  17. oak-grove
    Posted 7 years ago #

    There is more to this than just the insertion of code into your post. In the root of your site structure you may well find, as I did today, hqc.php.

    Your site will then be used within the code that is posted onto other's sites.

    There are a now a whole load of sites with links hqc.php on my site, litterally hundreds of them.

    I've deleted it. I'm not a php coder so can't understand what it is doing, but if anyone else wants to have a look I've kept a copy safe (off my site).

  18. whooami
    Posted 7 years ago #

    and so Im inquisitive..


    I see joomla, I found your wp install.

    and where was the file located?

    These posts are tedious to me. having upgraded 2 previously hacked blogs is as many days, and seeing the results, Im suspicious of all of these other upgrades. meaning, I seem to have a process that works, and having upgraded these other blogs, Im not seeing the new installs being hacked, and they were extremely hacked before I got to them.

    One thing I think ppl are missing is this..

    Google for that file name. One of the most popular sites that comes up is this one:


    terribly hacked, a wonderful example of an irresponsible, errant webmaster that ought to have his Internet drivers license revoked (if you ask me).

    What version is installed on that site:

    <meta name="generator" content="WordPress 2.1" />

    What interesting exploits are there for that particular version?

    Well, at the very least, there is one that successfully grabs your administrator password.

    Now im going to go out on a limb, and suggest that that person probably wouldnt even know they were hacked..and that during any upgrade process, would see no reason to change their administrator password.

    So hey, okay! They upgrade, but guess what, Szevegni from Croatia still has that password -- despite the fact that the install has been upgraded.

    My point?

    That for a while I was entertaining the idea that there was still a security issue in 2.3.3. I no longer think that. Ive had recent experiences with three separately hacked blogs in the last week, one of which included involving 2 WP devs, and I honestly think these are cases where ppl had previously compromised installs, and they simply have not secured their sites to the degree necessary following that compromise.

    I have also "seen" (logged all the variables sent to the file being called) the spam injection exploit in action, and have tested it against a 2.3.3. install -- it doesnt work.

    If 2.3.3 is insecure in any fashion, its not related to these spam insertions.

    Just food for thought.


    And honestly, anyone running Joomla.. ought to run for their lives.

  19. whooami
    Posted 7 years ago #

    and heres a real funny, one of the blogs I just updated.. thats NO LONGER seeing successful hacks.. there was an attempt to insert links ..

    I have logging set up on the site so I can capture "stuff" right.. You dont even need to tell me where that file was located, because YOUR site just popped up .. the hackers were trying to insert links back to YOUR site, and guess what..

    that file, was in the root of your joomla install, not your WP install.

    That doesn't suggest anything other than it might not be a simple WP hack, it might be a PHP issue, it might be a permissions issue, lord knows. I can say that Ive found the same on a 2.1.x blog and if I remember correctly a 2.2.x install as well, and there are ppl proclaiming from the rooftops that 2.3.3 is suspectable as well. Of that, Im not convinced.

    None the less, Im sure this will look familiar to you.

    <a href=\"http://www.fulwoodfmc.net/hqc.php?download.htm\">spyware adware remover download</a>
    <a href=\"http://www.fulwoodfmc.net/hqc.php?foot.htm\">girls licking feet</a>
    <a href=\"http://www.fulwoodfmc.net/hqc.php?sylvia.htm\">silvia saint raped</a>
    <a href=\"http://www.fulwoodfmc.net/hqc.php?olsen.htm\">bree olsen dildo</a>
    <a href=\"http://www.fulwoodfmc.net/hqc.php?machine.htm\">old machine shops chicago</a>
    <a href=\"http://www.fulwoodfmc.net/hqc.php?slut.htm\">backstabbing sluts</a>
    <a href=\"http://www.fulwoodfmc.net/hqc.php?throat.htm\">white throat monitor</a>
    <a href=\"http://www.fulwoodfmc.net/hqc.php?slut.htm\">slut slave</a>
    <a href=\"http://www.fulwoodfmc.net/hqc.php?orgy.htm\">free orgy videos</a>

    They failed at inserting these and about 100 other links into a freshly upgraded 2.3.3 install that I personally secured.

  20. whooami
    Posted 7 years ago #

    btw, oak-grove, if you are interested in getting to the root of the problem.. I can help you in doing so.

    All I ask is that any data collected stay between you and I, and if it turns out to be an issue with a current version of WP, the WP devs.

    contact me at whoo (((((@))))) village-idiot.org if you are up to it.

  21. oak-grove
    Posted 7 years ago #

    I think that I am now clean too, but I missed hqc.php because it as in the root structure, rather than in the blog subdirectory which I had cleaned.

    I only noticed it when the technorati feed for the domain started going bonkers with loads of sites pointing to my domain, all referencing hqc.php, and there have been hundreds of them. I've checked through a good number of them and not one of them has been 2.3.3, most have been much older. A lot of them also seem to be K2 style (which mine used to be), but that could just be because K2 is popular.

    So I'm almost certain that hqc.php is left over from before the 2.3.3 upgrade and that the site is now clean and that 2.3.3 is secure.

    I also changed all of my passwords to be sure that they were safe.

  22. whooami
    Posted 7 years ago #

    btw, oak-grove, if you are interested in getting to the root of the problem.. I can help you in doing so.

    Im not talking about cleaning up your site -- im talking about figuring out how they uploaded the files .. but no worries, theres plenty more fish in the sea (so to speak).

  23. rachelleb
    Posted 7 years ago #

    hey, guys -

    I'm back. And a little confused. I took your advice and thought everything was fixed but then my friend just emailled me this morning to say he was reading the feed of my site and there is a ton of spam in a post again .. I looked at this post and if you do view source there's a bunch of spam links - http://www.rachelleb.com/2008/03/20/whats-the-temp/

    what is the fix you have found?

    thanks for your help.


  24. whooami
    Posted 7 years ago #

    ive blogged about what I have done with the previously hacked installs that I have taken care of ..

    rather than repaste:


Topic Closed

This topic has been closed to new replies.

About this Topic