? ?

Previous Entry | Next Entry

My Compromised Blog

I was doing some general cleanup around the blog. (Considering widgetizing the sidebar...) I re-validated the XHTML, and some errors came up. The following code was inserted into the content of a post. (Which is contained inside a MySQL item.)

<p id="displayer" style="display:none">
CD and DVD films available for download at <a href="">download movies</a> site, cheap prices and fast downloading.</p>

The evil little snippet above says that humans won't be bothered with the link, but search engines will notice it.  Also, the following was actually inserted into my theme's index.php.

<form id="srch" name="srch" style="overflow:hidden;width:0pt;height:0pt" method="post">
DiVX and DVD films available at <a href="">download movies</a> portal, low prices and fast downloading.

Just like the prior snippet, humans won't see the link, but search engines will.

It's hard to describe how annoying this is. Somebody/bot found a way to compromise my blog's directory and its database.  I only sftp and ssh to the site. (Although in the past I have ftp'ed. No more!) I thought I chmodded the wordpress files to -rw-r-----, but I see now that there are more extensive write permissions in some directories.

I checked the last few logins, but they were all mine this month.  (And my host clears the log every month.)  I have to monitor the situation closely.

Ye gods, the referrer spam goons are aggressive!  Aargh!


( 7 comments — Leave a comment )
Jan. 25th, 2008 09:53 pm (UTC)
Ha, but they only want to help. Adding just the missing parts. ...
Jan. 26th, 2008 04:10 am (UTC)
Actions taken:
  • Changed password.
  • chmodded the WordPress directories and files.
  • Disabled ftp access. (sftp still works!)
  • Inspected system with both Ad-Aware and Spybot S&D.

Will have to watch it for a while...

Edited at 2008-01-26 04:11 am (UTC)
Jan. 28th, 2008 04:46 pm (UTC)
Re: Owari
Change the database password as well. This will require changing the wp-config.php file, but if they got in, then you can't be too careful.
Jan. 29th, 2008 06:53 am (UTC)
Re: Owari
Good point. Done. (And yea! for OpenID.)
Feb. 22nd, 2008 06:24 pm (UTC)
Argh - looks like I just got hit with the same thing at :(

Which file did you wind up finding the offending text in? I've been diving through various index.php files and I haven't been able to find their muck anywhere!
Feb. 23rd, 2008 03:08 am (UTC)
Looks like you found it. (Did you?) For me, one violation was somehow appended to one of my entries! (Meaning it resided in a MySQL record.) The other was appended to my theme's index.php file.
Feb. 23rd, 2008 03:31 am (UTC)
No, actually - it's still there in the page source, down under the archive months and above the search form. :(

I think it might be in a MySQL record then, I did go through all of the php files for my theme and didn't find a thing. The SQL tables are the only other place to go looking, and DH hosts the database, so it's an adventure to go mucking around in there.

edit: Ah HAH! Looks like I got it. With a little help, of course. So the offending PHP call was sitting in my headers.php file right under my nose (I saw it, but thought it looked natural) and killed it. Had to also dive into the database and clean up the PHP call from the database as well (along with a couple hundred bogus rss_% option names in the wp_options table). Checked my other blogs and they looked clean. Wierd! I don't even know when it got there...anyway, this was a huge help:

I think I'll keep that bookmarked. XD Now maybe I can beg the Google gods to start indexing TTVF again...

Edited at 2008-02-23 05:13 am (UTC)
( 7 comments — Leave a comment )



  • dblume
    5 Mar 2019, 22:27
    Welcome back to LJ.
    Even if it's just one post :-P

    People moved all over the internet.
    I stil like Plurk the best.
  • dblume
    4 Mar 2019, 06:13
    Good to see you checking in at LJ again, too. No, I'm not online anywhere like we used to be at LJ and Plurk. I really liked having a place where we could share our thoughts in a long-form post that…
  • dblume
    4 Mar 2019, 03:33
    Good to "see" you checking in at LJ... and taking steps to preserve your LJ and Google+ histories!

    Even better to see "you" and not your Dead Man Switch kicking in... again.

    Do you have a primary…
  • dblume
    13 Jan 2018, 18:54
    I "Searched" some of your archive looking for the fluorescent bulb post, but couldn't find it through 2009-02-06, and before that, LiveJournal no longer offers pages of your feed, just daily access,…
  • dblume
    10 Jan 2018, 18:22
    Ha ha! How coincidental, I was thinking about light bulbs yesterday myself. One of my Instagram contacts mentioned that the EU regulates the types of light bulbs people can use in their homes in…
Powered by
Designed by Jared MacPherson