Somehow, someone managed to inject spam links and hide them using display:none. The actual code starts like this:
<u style="display: none">
And then includes the spam links.
I feel they may have gotten in through a vulnerability in the older version of Wordpress that the site is running. I am now in the process of upgrading it to the latest version (2.3.2) and having my web host check the servers.
In the meanwhile, though, I didn't want the bastards to gain another penny from having hacked my site so I whipped up a very simple Wordpress plugin that checks for and removes those links.
It's called Remove Hidden Spam and you can download it here (.zip; 718 bytes) in case you're affected by this also (Danny told me that Keith was hit by this recently too.) Just copy it to your plugins folder and activate it.
The SWX web site spam hack article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.
Seems like upgrading WP and changing the password has helped so far (knock on wood). But I might check out the plugin too.
GAH! And i was wondering why my blog’s pagerank dropped. Now i know. Bastards. Lesson learned. Thanks Aral
Just a quick update: Having looked in the database it does look like they used an SQL injection vulnerability in Wordpress (in 2.1.2) to inject the code directly into the database.
In my case the spammed links were located in my theme’s footer.php (!?)
If you have the means, I highly recommend checking out wordpress from their svn repo. Then when a new version comes out, an update is a simple ’svn switch’ command away. Its harder to set up, but easier for always being up to date in the long run
Hi Aral, we have been dealing with the similar issues on afcomponents.com/blog. There are security holes in at lest 3 of the previous versions of WP. After upgrading to the latest version be sure to disable the remote post and the theme editor.
Cheers,
Andrei
And suddenly Aral’s pagerank was 7 again
Thx for the plugin and the post man!
Best wishes for 2008
Greets
@Claus: Intersesting — did you have the theme editor enabled?
@Andrei and @Ash: Thanks for the tips
@Ronny: You’re welcome + Happy New Year!
I have been attacked, too. I just upgraded from 2.3.2 to 2.3.3 because some of my readers informed me they couldn’t subscribe. It turns out that there are hidden links after my footer that start with this
font style=”overflow: hidden; position: absolute; height: 0pt; width: 0pt;”
I tried the plugin but unfortunately it didn’t work
I am getting desperate to the point where I want to wipe everything off and start from scratch again. I hate spammers.
It seems I have also fallen victim to this, but whats weird is my blog is up to date, so much for a perfect world…
Thanks for the tips, it cleared it right up.
I added some lines to your code. I noticed my spammer was slightly different. So I replaced your single line with this:
$content = preg_replace(’/.*?/s’, ”, $content);
$content = preg_replace(’/.*?/s’, ”, $content);
$content = preg_replace(’/.*?/s’, ”, $content);
$content = preg_replace(’/.*?/s’, ”, $content);
Well, crap it won’t show the html, well anyway, I added one with display:none (no spaces
and copied those two with single quotes instead of double quotes. I hope this makes sense.