Support » Installing WordPress » Spammers are cracking now?!

  • So I am no stranger to the occasional comment from spammers, I usually just moderate it and get on with life.

    But today I mosey on over to my site for shits and giggles when I notice one thing: it’s not there.

    Then I notice the scrollbar is way pushed up, so I scroll down. My site has a huge amount of blank space above it. Attributing it to a code glitch, I validate the CSS and XHTML almost instinctively. The CSS Validation page tells me there’s an error in my HTML document. Line 1 Column 16.

    The XHTML validation page just says Failed.

    I’m getting suspicious: I check this Line 1 Column 16 by viewing source. Expletives ring off in my mind as I read marquee tags everywhere in my source. They advertise “Xenical”, “Xanax”, and “Phenterimine”, as well as a plethora of unknown characters represented by a diamond and question mark.

    I check the admin pages and the theme editor—maybe it was just my theme that was cracked. Instead I am greeted with header errors relating to wp-db.php:359.

    I make sure there’s nothing wrong with wp-db.php and then open up my ftp client and re-upload all my files, knowing I can’t hurt anything by doing so.


    I’m really getting worried. If it’s not related to files, It’s related to my database.

    I open up my host’s control panel thing, check to make sure my databases are alright. Two are left open so I click “Repair”–Then I head to phpMyAdmin.

    I notice there’s a database that I hadn’t created in the drop-down: test, and test has one table.

    Not knowing or caring if this was something just implemented by phpMyAdmin, I drop the tables in the database and check my site again.

    The marquees and blank space are still there.

    At first I come to the conclusion spammers have cracked my WP database. But when I run a search on “Xanax” and “marquee” in the search database form, I get nothing.

    And if I uploaded all files anew … what’s happening?

    Could my host have been cracked in some way?

    Edit: sorry, my site is

Viewing 8 replies - 1 through 8 (of 8 total)
  • The ‘test’ db is a standard database that comes with every MySQL installation. Unless you initially removed it, it was always there and you just didn’t notice it.

    As to spammers cracking sites and hosts, that’s nothing new. I work as a security engineer for a large university and have to deal with spammers 0wn1ng machines all the time. They’ll use any chance they can get to get their word out.

    They probably exploited a recent WordPress vulnerability to get their content onto your site.

    If you control the machine where your site is hosted, I would recommend a complete rebuild of the host. You never know what kind of rootkit/backdoor was installed.

    Alas, for all I know my server is something like 1000 km away.

    I am going to try and see if it was only my site affected or the entire host.

    Hmm …

    i don’t get these people …
    what’s the point of cracking a weblog ??

    I suggest you make an ip logger

    Have you contacted your host yet? It sounds like that marquee stuff is being injected at the Apache level and the script kiddie probably used something like a cPanel exploit to do it.

    If it’s not in the database, and not in any wp files specifically, it does sound like your host was compromised, and Apache is serving up these files to EVERY SITE on the host.

    Does this happen on every page of your site, benjamin?

    Yeah, every page. I’m emailing tech support right now with the suggestions listed by you guys.

    I appreciate everyone’s concern.

    Just because I’m curious (sorry for the bump). bejamin, did you ever get a response on this issue?

    Unfortunately, no, but unless I am missing something–there’s nothing in my wordpress folders or my database tables to indicate it was an attack on my site level.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Spammers are cracking now?!’ is closed to new replies.