Spam Link Injection Hacked (and How I Hopefully Fixed It) | Digging in...

http://digwp.com/2009/06/spam-link-injection-hacked/

Digging into WordPress

by Chris Coyier & Jeff Starr

Spam Link Injection Hacked (and How I Hopefully Fixed It)

Posted on: June 30, 2009 by Chris Coyier Just recently my other blog CSS-Tricks was hacked. I first found out by a very helpful reader emailing me a screenshot from the mobile version of my site.

The mobile version of my site was built by Mobify, so I contacted them right away. As I should of known, of course Mobify cant insert content into a site, they only are a presentation layer on top of the already existing content. They were very quick and helpful with their response and sent me some useful links to what the problem might be. This of course meant that the site itself was hacked. Time is of the essence at this point, because not only do I not want my visitors seeing nasty spam, I dont want Google bot to cruise through and see the mess and hurt my SEO. I immediately set out to figure out where these spam links were being inserted from. I had this happen to me years ago and it turned out the theme files themselves were altered and spam injected that way. I took a look through all of them quickly and didnt see anything. I could see from the source on the site that the links were being inserted after the content on each post. I could also see at this point that the links were identical on each post. This seemed like a theme file injection to me, but clearly it wasnt. I popped open the WordPress Admin itself and checked out a post. Low and behold, there the links were, right in the content for each post. I checked out a number of them, new and old, and there were all the same. At this point, there were two possibilities. The Admin was compromised giving someone access in there and the ability to edit posts or the Database itself was compromised. Due to the speed of the attack, the fact that all the links were the same, and that over 500 Posts/Pages were identically altered, I concluded it must have been a database attack. Here is what I did: 1. I changed the Admin username and password. Just to make sure that the Admin itself was secure, this login and password must be changed. Since you cannot change usernames after they are created, I created a new account with a new password, logged in with that, and deleted the original account, attributing all posts to the new account. 2. I changed the server admins username and password. My site is managed by Plesk, which has a login and password to itself. If someone had access to this, they could access the Database. It is unlikely this was compromised, but to cover all the bases, this was changed as well. 3. The database name, database username, and database password was changed. Changing the database password might have been enough, but just to be as difficult as possible I changed both the username and the password. The database name was changed later after the cleanup (see below). 4. I changed the FTP login and password. If the hacker had this, they could have altered the theme files or opened the wp-config.php file to find the database credentials. 5. The XMLRPC file was removed. This file is used for pingback and trackbacks as well as remote editing possibilities like posting by email. I literally use none of these things, and this file has been responsible for security problems in the past, so I removed it. 6. The file permissions where checked. In particular, I found the wp-config.php file was set at 775, I changed it to 755. I also made sure that none of the file were world writeable except the very few that need to be, like the uploads folder.

What the spam insertion looked like

1 di 8

21/02/2012 10.35

Spam Link Injection Hacked (and How I Hopefully Fixed It) | Digging in...

http://digwp.com/2009/06/spam-link-injection-hacked/

That style attribute (inline CSS), when rendered in a typical browser, converted to and thus were not visible. For whatever reason, when Mobify picked up this content, that weird string of characters wasnt converted and thus the div was visible not hidden. The reason Im sure the hackers chose this technique is that the blog owner may never realize the links were inserted because they arent typically visible. I would think that Google doesnt give any link credit to links that are in a container with display: none, but perhaps the hackers theory is that the google bot wont be able to tell this div is hidden because of the weird code. I would be interested to know if Google can be duped with this technique. It seems like they would be smart enough to detect it, yet I wouldnt be surprised if the site is penalized anyway due to being compromised by spam.

How I Removed the Links

Luckily the code that was inserted in every single Post/Page was identical. I downloaded a fresh copy of the Database (as a .SQL file), opened it up in TextMate (any text editor with find/replace will do) and did a find/replace on the block of spammy code (replaced it with nothing). Then I saved a new copy of it and created a new database on the server (hence the change in DB name). I imported the new fixed SQL file and posted WordPress at the new database.

Crossing My Fingers
Its been a week now, and no more problems. I pray that what I have done has fixed whatever the hole was, but of course I cant be 100% certain because Im not 100% certain what it was to begin with. Of course, posting all this information surely doesnt make me any more secure but oh well. I of course have serious backups going on so the worst thing that can happen is I get hacked again and have to restore from backups and keep plugging holes.

Consequences
Although the spam wasnt on my site for more than a few hours, someone has pointed out to me that my Google PageRank for the homepage has dropped from a reasonable and healthy PR 6 to ZERO. While PageRank is a very weird thing and it could be any number of things including a random inaccurate report from Google, it seems more likely this is a penalization from them for the spam. Many of my subpages, which get crawled far less frequently, still have their PageRank. Its not just the PageRank, many searches that would have brought up the homepage (e.g. my own name) are now far down the SERP pages when they used to be #1. This of course will be seriously affecting my traffic until my PageRank is restored, if it ever is. CSS-Tricks, is non-trivial portion of my income, and if there is a serious dip in traffic it could certainly affect me financially. Im not whining, it just goes to show that site security is not some abstract nerdy hobby, its serious business that can have serious consequences.

Possibly Related Posts

WordPress Security Lockdown Media Temple, WordPress, Mass Hacking Clean Up Cannot redeclare Hack Thats Not Spam: False Positives and Ham Clean Up Weird Characters in Database 15 Anti-Spam Plugins for WordPress Change Your Database Prefix to Improve Security Pimp your wp-config.php Posted in: Security Tags: database, hacking, spam Discussion: 29 Comments

2 di 8

21/02/2012 10.35

Spam Link Injection Hacked (and How I Hopefully Fixed It) | Digging in...

http://digwp.com/2009/06/spam-link-injection-hacked/

Let's talk it out, folks.

1. Rob said on June 30, 2009: This happened to one of mine once. A very good article is contained here: http://www.smashingmagazine.com/2009/01/26/10-steps-to-protect-the-admin-area-in-wordpress/ The Login Lockdown plugin is very good indeed http://www.bad-neighborhood.com/login-lockdown.html #1

2. jessi Hance said on June 30, 2009: So glad you were able to recover and batten down the hatches! Thank you for sharing the details. Cant Google help you recover your page rank if you contact them about what happened? #2

Chris Coyier said on June 30, 2009: I looked around for a while and didnt find any way to contact them generically like that. I found ways to REPORT spam, but I was way to nervous to use that form to contact them about my situation, afraid that theyd see the URL and assume I was reporting that URL for spam violations. #2.1

jessi Hance said on June 30, 2009: Dang, its like being afraid to ask the police for help in case they might arrest you instead of the person at fault. #2.1.1

Chris Coyier said on June 30, 2009: Haha, exactly. #2.1.2

Sumesh said on June 30, 2009: I remember David Airey (or was it Jacob Cass?) contacted Matt Cutts and he helped fix things. Since CSS Tricks is also a reputed site, I think you would have good luck moving through that route. Maybe a tweet @mattcutts is all it takes to get started. #2.1.3

3. Tommy said on June 30, 2009: Yikes, man. That is scary. Do a followup a little later to let us know if that fixed everything. #3 4.

3 di 8

21/02/2012 10.35

Spam Link Injection Hacked (and How I Hopefully Fixed It) | Digging in...

http://digwp.com/2009/06/spam-link-injection-hacked/

Marcy said on June 30, 2009: You can request Google to reconsider your site. Login to you Google Webmaster Tools. Click on the account that you want reconsidered. Over on the left is Help with and below is Reconsideration Requests. There is a space to write an explanation. It will take them time. I hope you get it all straightened out with them. CSS-Tricks is a very helpful site. #4

Chris Coyier said on June 30, 2009: Ahhhh, thank you! Didnt see that Reconsideration thing. Done. #4.1

5. Keith McLaughlin said on June 30, 2009: That sucks Chris. Glad you got it sorted so quickly. I had a similar problem on a non wp site and lost all PR for the homepage. I never got the PR back to what it was. Not sure this will help but you could try contacting Google via their reconsideration page (webmaster tools): https://www.google.com/webmasters/tools/reconsideration Just tell them what happened and see what they say. #5

6. Kris said on June 30, 2009: This happened to several of my sites on March 4 I believe. On my Drupal sites, my template files were hacked. I also found it on some of my straight PHP sites. Due to the nature of it, I didnt discover it right away until Google tagged my sites as spam sites. Once I was aware of the attack, it took awhile to find the affected file because the last update of the file hadnt changed. I discovered it when I found a template file to be over 50k and normally it would be less than 10k. Cleaned up all the spam links, waited for Google to re-discover and I was good to go. #6

7. The Frosty said on June 30, 2009: Thats crazy, stupid spammers. I guess that just shows, that youve got to make sure your ends are covered before your get massive hits and traffic. #7

8. John Hoff - WpBlogHost said on June 30, 2009: You know, I dont hate many things in this world, but I do hate these freaking malicious hackers. Ive dedicated a lot of my time to stopping them. My wifes e-commerce site got hacked. The intruder uploaded a script which installed a .gif file in every folder labeled image. The file downloaded viruses to peoples computers. I mean come on, really? I love the good things you guys are doing over here. And I know what you mean by being worried about posting too much. I talk about blog security at times on my site and theres always that little voice in my head telling me youre just inviting them to take a crack at it, John. Google took my wifes site offline before I noticed the problem. I fixed it and then through Googles Webmaster Tools (like others had mentioned) I informed them I fixed everything. The site came back online, but I lost 2 points in PR and traffic is way down. One question. How did you figure out what the encoded code decoded to (i.e. the display:none)? #8

4 di 8

21/02/2012 10.35

Spam Link Injection Hacked (and How I Hopefully Fixed It) | Digging in...

http://digwp.com/2009/06/spam-link-injection-hacked/

Chris Coyier said on June 30, 2009: I used Firebug to inspect the area toward the end of the post and I saw the div there, which had that inline styling applied. Pretty clever little technique, if it wasnt the most malicious thing ever. #8.1

John Hoff - WpBlogHost said on June 30, 2009: Firebug is probably one of the coolest free things out there. They could probably even charge for it (just dont tell them that). Thanks for the insight. #8.1.1

9. sefat said on June 30, 2009: what an experience! End of the day im happy to see csstricks is doing okay !!:) #9

10. Samir Talwar said on June 30, 2009: Im glad to hear its all sorted out now. Finally, I have a reason I can tell people I built my own blog from scratch (past I felt like it) even I cant remember how the database works. Also, the admin area doesnt exist. OK, perhaps I need to come up with a couple more reasons #10

11. John Bloomfield said on June 30, 2009: We have had this twice now over at 71squared.co.uk although our links were porn links and hidden unless you view the source, so not sure how long they were there for :( #11

12. redwall_hp said on June 30, 2009: Contact Google, whether through Matt Cutts or a more official method, and explain what happened to them. They have the power to fix it, and very well might help you out. #12

13. Len said on June 30, 2009: You said that you changed permissions of wp-config.php to 755. Rule of thumb, files 644 folders 755 #13

14. Joel Oliveira said on July 1, 2009: It hasnt been mentioned here yet and I think it deserves inclusion http://blogsecurity.net/wpscan The security scan there is helpful, not to mention the entirety of the blogsecurity website. Ive used it a couple of times on a few sites and its caught a

5 di 8

21/02/2012 10.35

Spam Link Injection Hacked (and How I Hopefully Fixed It) | Digging in...

http://digwp.com/2009/06/spam-link-injection-hacked/

few things that helped me lock things down. First thing I do these days w/wordpress remove that admin account. I think thats the root of a good number of vulnerabilities. #14

15. Matt Gibson said on July 5, 2009: Scary. One thought springs to mind; I wonder how easy it would be to create a Yahoo pipe that took an RSS feed and made a feed of the raw source? At least if you were subscribed to that for your own sites youd see the problem fairly quickly #15

16. Evil Mammoth said on August 5, 2009: Ive had a similar thing happen. I was just wondering, as of a month later, what the status is. Have you had further troubles with the spammer? Thanks again for this guide and writing this post. #16

Chris Coyier said on August 5, 2009: Still clean as of this date! Thank god. #16.1

Evil Mammoth said on August 5, 2009: Thats great. Im hoping I have the same success when I implement your changes. I had already done a few of them a few days ago with no luck, and Im getting real tired of these assholes. Keep up the good work. Ill be checking in. Glad I stumbled across your site. #16.1.1

17. dibo said on August 12, 2009: Exact same thing happened to me. Same links too. I think it was an exploit in the WordPress code so a malformed SQL query inserted all the links but I did all the things you did just to be safe. #17

Comments are closed. If you have something really important to add, contact us. Thank you!
Previous Entry Next Entry

Like the blog? You're gonna love our book. Over 400 full-color pages of hardcore WordPress action. Learn more Buy PDF

6 di 8

21/02/2012 10.35

Spam Link Injection Hacked (and How I Hopefully Fixed It) | Digging in...

http://digwp.com/2009/06/spam-link-injection-hacked/

Grab the Feed for free updates! Subscribe via email

Categories Admin CSS Design HTAccess JavaScript Links PHP Plugins Security SEO Site News Testing Theme Uncategorized Upgrade XHTML Random Posts ... loading ...
Refresh

Love or Hate the Admin Bar? Love it Hate it Don't care

Vote

View Results Which Markup Language do you use the most? HTML 4.01 HTML 5 XHTML 1.0 XHTML 1.1 Something else / not sure
Vote

View Results What is the Best Caching Plugin for WordPress? WP Super Cache W3 Total Cache WP-Cache 2.0 Hyper Cache WP File Cache FlexiCache DB Cache DB Cache Reloaded Batcache Other Cache Plugin
Vote

View Results
Top

Jeff Starr

7 di 8

21/02/2012 10.35

Spam Link Injection Hacked (and How I Hopefully Fixed It) | Digging in...

http://digwp.com/2009/06/spam-link-injection-hacked/

has been designing & developing WordPress-powered sites since 2005. He develops WordPress plugins, creates WordPress themes, and writes lots of articles about WordPress, web security, and designing with Web Standards. More.. Chris Coyier

is a real-world web designer who has been reaching for WordPress to power client sites for many years. He subscribes to the theory that not only is WordPress capable of powering any website it is almost always the right choice. More..

Contact About Site Advertising Archives Code is poetry The Theme Clubhouse

8 di 8

21/02/2012 10.35