?

Log in

No account? Create an account

Previous Entry | Next Entry

My Compromised Blog

I was doing some general cleanup around the blog. (Considering widgetizing the sidebar...) I re-validated the XHTML, and some errors came up. The following code was inserted into the content of a post. (Which is contained inside a MySQL item.)


<p id="displayer" style="display:none">
CD and DVD films available for download at <a href="http://my-movie-download.com/">download movies</a> site, cheap prices and fast downloading.</p>


The evil little snippet above says that humans won't be bothered with the link, but search engines will notice it.  Also, the following was actually inserted into my theme's index.php.


<form id="srch" name="srch" style="overflow:hidden;width:0pt;height:0pt" method="post">
DiVX and DVD films available at <a href="http://my-movie-download.com/">download movies</a> portal, low prices and fast downloading.
</form>


Just like the prior snippet, humans won't see the link, but search engines will.

It's hard to describe how annoying this is. Somebody/bot found a way to compromise my blog's directory and its database.  I only sftp and ssh to the site. (Although in the past I have ftp'ed. No more!) I thought I chmodded the wordpress files to -rw-r-----, but I see now that there are more extensive write permissions in some directories.

I checked the last few logins, but they were all mine this month.  (And my host clears the log every month.)  I have to monitor the situation closely.

Ye gods, the referrer spam goons are aggressive!  Aargh!

Comments

( 7 comments — Leave a comment )
sjonsvenson
Jan. 25th, 2008 09:53 pm (UTC)
Ha, but they only want to help. Adding just the missing parts. ...
*sigh*
dblume
Jan. 26th, 2008 04:10 am (UTC)
Owari
Actions taken:
  • Changed password.
  • chmodded the WordPress directories and files.
  • Disabled ftp access. (sftp still works!)
  • Inspected system with both Ad-Aware and Spybot S&D.

Will have to watch it for a while...

Edited at 2008-01-26 04:11 am (UTC)
ext_82408
Jan. 28th, 2008 04:46 pm (UTC)
Re: Owari
Change the database password as well. This will require changing the wp-config.php file, but if they got in, then you can't be too careful.
ext_82484
Jan. 29th, 2008 06:53 am (UTC)
Re: Owari
Good point. Done. (And yea! for OpenID.)
halophoenix
Feb. 22nd, 2008 06:24 pm (UTC)
Argh - looks like I just got hit with the same thing at TechTVForever.net. :(

Which file did you wind up finding the offending text in? I've been diving through various index.php files and I haven't been able to find their muck anywhere!
dblume
Feb. 23rd, 2008 03:08 am (UTC)
Looks like you found it. (Did you?) For me, one violation was somehow appended to one of my entries! (Meaning it resided in a MySQL record.) The other was appended to my theme's index.php file.
halophoenix
Feb. 23rd, 2008 03:31 am (UTC)
No, actually - it's still there in the page source, down under the archive months and above the search form. :(

I think it might be in a MySQL record then, I did go through all of the php files for my theme and didn't find a thing. The SQL tables are the only other place to go looking, and DH hosts the database, so it's an adventure to go mucking around in there.

edit: Ah HAH! Looks like I got it. With a little help, of course. So the offending PHP call was sitting in my headers.php file right under my nose (I saw it, but thought it looked natural) and killed it. Had to also dive into the database and clean up the PHP call from the database as well (along with a couple hundred bogus rss_% option names in the wp_options table). Checked my other blogs and they looked clean. Wierd! I don't even know when it got there...anyway, this was a huge help:
http://robertogaloppini.net/2007/12/12/wordpress-spam-injection-goro-hacked-my-blog/

I think I'll keep that bookmarked. XD Now maybe I can beg the Google gods to start indexing TTVF again...

Edited at 2008-02-23 05:13 am (UTC)
( 7 comments — Leave a comment )