WordPress Question

by Kieran Healy on June 2, 2007

We’ve just had an issue with some spam showing up on the site. Not the run-of-the-mill comment-based sort. It was hidden in a block of html enclosed in a <u style display: none></u> tag. Weirdly, and this is the disturbing bit, it appeared as a block of HTML appended to our index.php file, which really shouldn’t happen at all. The result was that WordPress would render CT pages and then this bit of spam text would be right at the bottom of the html, outside the body tags, etc, as the index.php file closed out.

The permissions on the index.php file are right and our WP installation is up to date. There doesn’t seem to be anything else amiss, and apart from it appearing in a very strange place it seems like automated rather than handcrafted spam. (Another odd thing was that some of the spam links pointed to some personal pages hosted by washington.edu, but I didn’t follow the links.) Unfortunately I don’t know how long the spam has been there. What happened to us is approximately the same as what happened to this guy on the WP support forum, but there wasn’t any helpful followup from that thread. Has anyone encountered this issue before?

{ 1 trackback }

Crooked Timber » » Spam Again
06.06.07 at 2:36 pm

{ 15 comments }

1

abb1 06.02.07 at 10:28 am

Must be something with permissions.

2

stuart 06.02.07 at 1:11 pm

I found another site with the same spam at the end of it, but it wasn’t wordpress, so its something more generic than that. If it was the same links in yours most of them have been removed by the various academic institutions that it linked to, except for the bits hidden under the latvian course information section of washington.edu (the other washington.edu location has been removed). These only contain a load of text to boost its search rank and a link back to what I presume is the originator, which is (very nasty from the file names of the few pictures and the accompanying text) porn link page in the Ukraine .com 2LD.

From the locations the files are located in the various US websites (most .edu, some .org, .com and .gov) they have managed to get files onto, it looks like they have done it by finding directories on websites with the wrong permissions set and dumped a few link pages in each place, because although some are under user accounts (which would most often indicate a weak password account hacking bot), there are also plenty of other areas of various websites affected. Unfortunately currently the .com.ua whois server doesn’t seem to be properly set up, including any mirrors I found, so haven’t been able to track the source back very far in a short time, although it might be possible.

This would suggest that it is more likely that the links were added due to a permissions issue at some point – the degradation of the links gives the impression it could have been added quite a while ago, although it could also be a substandard bot or old zombies still adding links that have been killed long ago.

3

Kieran Healy 06.02.07 at 1:32 pm

I see … the permissions are OK now, but WP has been through a bunch of point upgrades in the past couple of months, so something may have happened with file permissions during one of those that didn’t get fixed till the next one.

4

Cranky Observer 06.02.07 at 8:59 pm

I don’t know what kind of tech support WordPress offers, but I would open a support case with them and also with your hosting ISP to let them know about this. It could be a larger issue if it is affecting multiple sites.

Cranky

5

Quo Vadis 06.02.07 at 9:41 pm

There are all kinds of exploits for PHP (and everything else) that rely not just on permissions problems, but on other seemingly innocuous pieces of code and system settings. One of the most common PHP exploits allows the hacker to upload a PHP file they wrote to your machine and execute it with the permissions of the PHP process. I suspect that if you look carefully in your log files and in your PHP directories you will find some unusual files.

In fact, a little searching yields:

http://wordpress.org/development/2007/01/wordpress-207/

6

bi 06.03.07 at 9:42 am

The spammage is back again.

Do the server logs show any suspicious activity?

7

bi 06.03.07 at 9:44 am

(Yes, it’s back again… after you removed those links, someone (or something) came back and threw in another pile of spam links.)

8

Quo Vadis 06.03.07 at 10:09 am

The hacker probably installed a root kit when they originally compromised the server. Typically the kit includes a php file that allows the hacker (or an automated script) to execute shell commands from a web page. The page might have a strange name or be in an odd directory to make it difficult to find on the file system. Sometimes there are other hidden files that will reinstall the root kit if someone tries to remove it.

These hacks are usually completely automated and the compromised servers might be used for a variety of nefarious purposes like sending spam or participating in DOS attacks on other servers. I get hundreds of probes a day on my servers looking for vulnerabilities.

9

Kieran Healy 06.03.07 at 2:22 pm

Crap. I’m looking for the script that’s doing this, but it’s hard to find …

10

lemuel pitkin 06.03.07 at 2:26 pm

But what’s the point of all this nefariousness? just to drive traffic to a porn site? Doesn’t seem worth the effort…

11

bi 06.03.07 at 6:06 pm

Kieran Healy:

I don’t know, maybe doing a comparison between the PHP code on your server and the pristine WordPress PHP code (using “diff -r”) may help? “netstat” to check for suspicious network services?

Anyway, in case you do find the code that’s causing the nuisance, I’d like to know what it looks like so that I can guard against it… I don’t want to write vulnerabilities into my PHP scripts. :)

12

Quo Vadis 06.03.07 at 6:28 pm

Kieran,

The root kits I’ve seen send the commands in clear text. You should be able to search your log files for text related to the spam insertion – bits of the URLs, shell commands etc. that can lead you to the page. Once you find the file, you may want to search your PHP directories to find files that refer to it or files that were created at about the same time as there may be other files in the root kit. There have undoubtedly been others who have dealt with this root kit, so once you have a file name, try Google.

As for the why of it – page rank is money especially in a market as crowded as online porn. That’s just one of the many uses that a botnet can be applied to. A friend of mine realized one day that he couldn’t account for several gigabytes of disk space. He discovered that hidden on his drive two DVD images. Someone had been using his machine and his DSL connection to distribute pirated software.

13

Stuart 06.04.07 at 10:40 am

But what’s the point of all this nefariousness? just to drive traffic to a porn site? Doesn’t seem worth the effort…

Well its hidden, so its trying to get search rankings for their site up rather than directly trying to get traffic.

14

ben wolfson 06.04.07 at 4:11 pm

I bet it’s actually just the way WP makes its money.

15

bi 06.05.07 at 8:59 am

And guess what, the spammage is back… _yet_ _again_! =sploosh=

Comments on this entry are closed.