homepage Welcome to WebmasterWorld Guest from 54.227.12.4
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

    
was i Hacked?
Jhet




msg:4314668
 2:10 pm on May 19, 2011 (gmt 0)

So I have this pretty small personal wordpress blog that I've been using for weight loss and health postings. I don't post on it very often and it isn't there to be a big money earner or anything but I do have some ads on it. It only gets about 500 views a month and has shown up for some specific long tail keywords.

Well it has been a few weeks since I even went to the site but yesterday I did. And for whatever reason I also searched for it in Google. I found my site but Google's cache showed a crap load of spam in the site. The cache shows a pharma keyword stuffed website but I've never added any of that text to the site. And what's funny is that there are no links to any other website. Just a bunch of keyword stuffing.

So I checked the website files and the database and I cannot find any of the keywords or any reason as to how they could have gotten on the website in the first place. I called the hosting company and had them check as well. They found nothing.

So what is going on? I didn't add the spam or remove it. The hosting company doesn't know what is going on with it. So how did Google get the keyword spam into their cache? The Google cached files from Apr 26 to May 17th all have the spam in them.

Anyone have any idea what's going on and how to make sure it doesn't happen again?

 

Brett_Tabke




msg:4314762
 4:31 pm on May 19, 2011 (gmt 0)

Do a page pull from google webmaster tools as googlebot and see what is shown to you.

Jhet




msg:4314767
 4:41 pm on May 19, 2011 (gmt 0)

I did do that last night and everything looks normal. This is what is so confusing. Nothing appears to have really changed, except for Google's cache of the site. I have not so much as ftp'd into the site for three weeks.

incrediBILL




msg:4314771
 4:47 pm on May 19, 2011 (gmt 0)

wordpress


Wordpress is actually an ancient Egyptian word meaning "hacked", if you run it, odds are likely.

You probably have an SEO spam injection on your site, go view the source of the page and see if you find a bunch of garbage links stuffed in it.

Jhet




msg:4314792
 4:56 pm on May 19, 2011 (gmt 0)

That's the funny thing...there were never any links injected even in the Google cache. Just keyword spam. And it's all gone now. View source on the page - clean. View source on Google cache - clean of links but added keyword spam.

I can't see any benefit from someone even doing it.

Jhet




msg:4314793
 4:57 pm on May 19, 2011 (gmt 0)

It's all gone now except for the Google cache I should say.

incrediBILL




msg:4314797
 5:07 pm on May 19, 2011 (gmt 0)

Did you try Brett's suggestion and pull the page as Googlebot from WMTs?

It could be something cloaked in your WP code, that would be nasty.

Jhet




msg:4314804
 5:18 pm on May 19, 2011 (gmt 0)

I did last night and just now...they both look normal. No spam is on the site.

rogerd




msg:4315369
 4:12 pm on May 20, 2011 (gmt 0)

You may want to check your templates and database. There are a variety of link injection schemes. One puts an innocuous looking call to a php file in the footer. Another modifies the database. I had a similar experience, and modifying the footer and updating WP cleared up the issue, although Google kept some of the cached spam around for months. Rankings/traffic recovered somewhat, though not to the pre-hack level.

Jhet




msg:4315387
 4:39 pm on May 20, 2011 (gmt 0)

Well that is the thing...

No links have been inserted into the website. Only keywords were added. And they only show up in the Google cache.

So who would hack a site just to stuff keywords into it? The only thing it achieves is reduced rankings for me. And to top it off it's not a fantastic site anyway. The site isn't competition for others really and it only gets about 500 views per month.

Status_203




msg:4316164
 8:29 am on May 23, 2011 (gmt 0)

I run a CMSed site for a local community organisation that got hacked. No sign if I went straight to the site, but attempted to redirect me to a very spammy looking domain when I went in from a Google search.

(Recommend Firefox with RequestPolicy add on. Bit of a pain on day to day browsing but stopped the hack's redirect and asked me if I wanted to allow it. No!)

johnnie




msg:4316868
 2:16 pm on May 24, 2011 (gmt 0)

Try and look for chunks of base64 encoded junk in your posts and/or template files. Hackers often use this to obfuscate their crap.

lexipixel




msg:4317203
 12:18 am on May 25, 2011 (gmt 0)

base64 encoded junk


Just what I was thinking. I recently cleaned out a shared hosting site where <?php eval(base64_decode(... statements had been injected into WordPress .PHP files, (also phpBB and OsCommerce php files on the same server).

The exploit was triple hidden. The base64 code would create CSS code that hid a DIV that contained more PHP that read from "key" files hidden in an image directory. The key files contained more base 64 encoded strings which expanded to keyword spam links at run time. It was fairly genius -- except for the fact that the eval() ran when the WordPress dashboard was opened and there was a slight "flicker" on the dashboard tipping off the owner that something wasn't right....

lexipixel




msg:4317211
 12:28 am on May 25, 2011 (gmt 0)

Grep this (or have the hosting company do it if you don't have shell access).

grep "eval(base64_decode(" . -rl | xargs sed -r -i -e '/<\?php \/\*\*\/eval\(base64_decode\('.+?'\)\); \?>/ {d}'


(DISCLAIMER: I did not write that code - it was supplied by someone more skillful at the prompt than I am. I can not decide it for you -- but can tell you it found the buggers).

Sgt_Kickaxe




msg:4317232
 1:21 am on May 25, 2011 (gmt 0)

Step back a minute, if fetch as googlebot finds nothing but you see it in cache perhaps it's your browser that is infected. I was hit with a BRILLIANTLY done virus that swapped out ads on whatever site I visited and I kept seeing junk like emoticons but didn't suspect a thing until I visited my own site and saw ads that didn't belong to any network I'm a part of.

It's not unrealistic for it to inject spam words too so that the google toolbar thinks you are into that stuff.

Jhet




msg:4317393
 1:46 pm on May 25, 2011 (gmt 0)

I'm pretty sure it wasn't a browser virus. It was only showing spammy code on the Google cache of my site and nowhere else.

If it happens again I'll definitely look for eval/base64. I think what happened was that the hosting company caught the hacked site before I did and they fixed it without telling me. By time I seen it only Google's cache still had what the hackers did to the site in it.

I went to webmaster tools and had the cached pages removed. Several of them have been re-cached and no longer have all the spam keywords in it.

Thank you everyone for the help and advice!

Demaestro




msg:4317448
 3:26 pm on May 25, 2011 (gmt 0)

If the server is linux based and you have SSH you should be able to install and run maldet.

I ran into something similar recently and maldet found it for me. I set it up to run everyday VIA a cron to make sure it doesn't return.

flashdash




msg:4317832
 9:38 am on May 26, 2011 (gmt 0)

That's the funny thing...there were never any links injected even in the Google cache. Just keyword spam. And it's all gone now. View source on the page - clean. View source on Google cache - clean of links but added keyword spam.

I can't see any benefit from someone even doing it.


This looks like an automated spam software with embaded links and garbage keyword that tried to stick links on your WP pages. Looks like it failed on href side, but did add the words. There are loads of exploits for Wordpress, some are public and many are not. Make sure you WP is updated and keep your plugins to absolute minimum - they can be exploited too.

spadilla




msg:4319341
 5:54 pm on May 29, 2011 (gmt 0)

This may be a simply stupid question, but was your Wordpress install up to date when this happened? How about the plugins?

Jhet




msg:4319407
 10:15 pm on May 29, 2011 (gmt 0)

Wordpress was not. I think it was just below version 3.0. All plugins were updated though. The good news is that there has been no reoccurance so far.

chewy




msg:4321199
 5:59 pm on Jun 2, 2011 (gmt 0)

Nice to see the ancient Egyptians shared our pain.

What did they do about it besides falling to Rome?

Can anyone comment on what plugins tend to be more or less vulnerable to these types of problems?

Is there a useful method (or ritual) to avoid risky behavior (other than marshaling slaves, building pyramids, writing one's own code...?)

rogerd




msg:4321214
 6:24 pm on Jun 2, 2011 (gmt 0)

Keeping Wordpress up to date is the biggest priority. I've had one WP install hacked, and it was on a site I wasn't maintaining regularly, which left it vulnerable. Now, keeping WP up to date is a snap - you are notified in your admin panel when there's a new version, and it can often be installed with a single click.

From what I've seen, plugins are less often entry paths for hackers, though I'd be leery of plugins with little history and unknown developers.

Keep your theme up to date, too.

alfonzoz




msg:4321969
 3:45 pm on Jun 4, 2011 (gmt 0)

I really don't think that the WP release has anything to do with it. Usually a hack is about userid's and passwords and about editing the PHP on a feature (plug-in or a theme, for instance).

I got hacked just the other day myself (the green death head thingie); I was careless on one of my hosted servers.

The hacker nailed all the domains that I have on one of my hosts. So I suspect that they actually hacked into my C-Panel or because the passwords were the same on all the domains that I had on that server they got a directory and edited each of the domains with the green deathhead. Don't know for sure... I just fixed it and any potential causes and went on.

I was at Word Press 3.1.2, if memory serves me. Fortunately I had 3.1.3 waiting and installed it on all of the hacked sites except for the one that I left in place to show my hosting company's level 2 folks. I also changed the passwords on all the URLs on that server.

I didn't actually check but I suspect that they did this by replacing the PHP that displays the startup page on my sites, whatever that was (blog or static). My posts, themes, etc were unaffected. After I upgraded, everything returned to normal.

Things I learned:
1. don't use easy passwords... i did because it was easy for me to remember and I have a lot of sites.
2. don't use the same password everywhere... I did because ditto.
3. keep a backup of all your domains on another computer... like your personal pc or another hosting relationship's account. I didn't but I lucked out and had a wordpress upgrade waiting on all the domains that were affected so it was easy to fix.

Bottom line... if you get hacked and don't know what to do about it contact your hosting service's level 2 support. If you do know what to do, upgrade or reinstall if you know how to do that without wiping out your articles and posts, widgits, etc.

Al

rogerd




msg:4321983
 4:18 pm on Jun 4, 2011 (gmt 0)

Server level and host level attacks are a different story, though they can be just as traumatic. One host I used to work with couldn't seem to keep the door shut to hackers, who replaced all index pages with their own message page. After the second time it happened, I changed hosts.

Keeping Wordpress up to date will prevent known WP hacks, at least.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved