Site mal-age

DMZ · May 29, 2009 at 3:37 pm · Filed Under Site information 

Hey all. About 12h someone changed our footer.php to include a vast number of hidden, spammy links, and I’ve been chasing it since. I just blew away the footer entirely, sooo uh we’ll see. That said, I’ve got zero experience at forensics and I’m still unsure exactly how this happened. I’ll spend some more time on this later, or throw up my hands and sell my shares to Rupert Murdoch or something.


6 Responses to “Site mal-age”

  1. kenshabby on May 29th, 2009 4:22 pm

    I spent a year testing Google’s search engine and saw with this kind of crap all the time. Often legitimate header and footer themes are “creatively redesigned” by spammers and redistributed; those changes are undetectable until a site search is performed. Google may then blacklist the site, a truly unfortunate scenario.

    Is directory browsing disabled? If not, the likeliest explanation is that the malicious WordPress user accessed the site directory and did the spam link injection that way. It could be worse–I’ve heard of entire content having to be rebuilt from scratch.

  2. Nate on May 29th, 2009 5:37 pm

    Probably Jose Lopez did it. (sneaky Venezuelans!)


  3. Goob on May 29th, 2009 6:02 pm

    I few years back I found that my WordPress header file was being replaced with a copy that caused popups full of referral links to casino and “free ipod” sites. No matter how many times I deleted the code, it kept coming back and a few searches through my cpanel log showed that they’d cracked my FTP password and were overriding my files ever night at 2am or something. I stopped them by deleting the default “admin” login and changing my account’s password to a huge string of letters and symbols. Annoying, but it worked.

    Oh, I also made sure to turn off the function that allows for editing the files through WordPress. That feature is kinda nice, but I was always worried about some sort of exploit.

    As for finding the culprit, I contacted the owners of the casino sites and provided them with the links. They were able to ID the person since each link was user specific and ban him from their sites. It’s not much, but at least the baddies don’t get to profit from the mischief.

  4. DMZ on May 29th, 2009 6:24 pm

    — Is directory browsing disabled?


  5. bilbo27 on May 29th, 2009 8:56 pm

    I do this for a living (designing web applications, not spamming ;-). So, either they cracked your password somewhere or the permissions on your files/folders give some vulnerability or there are some security vulnerability in the version of wordpress you are using or one of your plugins.

    There’s also a some chance that another website on the same machine as yours has some vulnerability that gave the spammers access to the system files and thus the ability to change your files. But this is unlikely because of the way most hosts setup things and the particular modification that showed up on your site.

    It’s probably just the password one cracked by some bot. If your password is any english word then it can be cracked VERY easily by a bot that literally will just go through the dictionary and try every word (and can do this fast). If this is the case, consider making your password a full short sentence. This will make it exponentially harder to crack and will be easier to remember then other very secure passwords that have random numbers and characters.

    If it’s a wordpress vulnerability (there are some always), see about making sure you have the most recent version of wordpress installed. (wordpress is usually really easy to upgrade, just back things up first just in case).

    For the file vulnerabilities just google “WordPress file permissions” to see about making sure you have minimal access permissions set on all your files.

    You might also see about getting the IP that the change was made from (which will be in some log files somewhere) and blocking anyone from that IP from accessing your site.

    Depending on your hosting, there are also sometimes programs built in that will notify you via email if/when/and by whom any of your website files are changed so you can fix it right away.

  6. DMZ on May 29th, 2009 9:13 pm

    Uh, in order… permissions are fixed. But… possibly.
    Passwords, I’ll remind everyone. Certainly possible.
    WP vulnerability, I patch this thing within seconds of a patch release
    And I’m IP-banning the shit out of these hosers

Leave a Reply

You must be logged in to post a comment.