Susan Wojcicki net worth,jiliplay.REGISTER NOW GET FREE 888 PESOS REWARDS!

stickner
(@stickner)

16 years, 6 months ago

I recently found a script in the root of my wordpress blog that I believe came from a plugin, but I’m not sure which one yet. The script, which was named ph.php generated thousands of links in the format /blog/ph.php?12345 that redirected to pharmacy advertising pages.

I found it quickly and removed it. I then had to remove a couple of thousand links from Googles index and cleanup the mess. I’ve just found that this is a two part exploit. There are literally thousands of WordPress blogs that, when a page is served, have hundreds of hidden links that point to the links generated by the script that, on my installation, was named ph.php.

Here are a couple of links I picked at random. View the source and scroll down, you’ll see hundreds of hidden links at the bottom;
https://autoinsurancestories.com/?s=stories
https://blog.debbieferrari.com/index.php?s=remodel
https://blog.sandrasays.com/index.php?s=tangerine

For each link generated /blog/ph.php?12345 there are about 6,500 links to each one from infected blogs.

This is a serious problem. My search engine ranking plummetted as all of the traffic became pharma related spam. Have you seen this and do you want to help me track it down and make others aware of it.

Your help is greatly appreciated
Steve Tickner

Viewing 2 replies - 1 through 2 (of 2 total)

whooami
(@whooami)

16 years, 6 months ago

Of your 3 links above, each is running:

1. <meta name="generator" content="WordPress 2.2.2" />  <– old exploitable version

2. <meta name="generator" content="WordPress 2.1" />  <– even older very exploitable version of wordpress

3. only this site is actually running a current version, and I’ll bet dollars to donuts the site has been exploited for a while, well before the upgrade.

In fact, here is a google snapshot of a page on that site..

https://64.233.167.104/search?q=cache:2z0l3W1R96cJ:blog.sandrasays.com/2007/09/14/photo-of-looscan-neighborhood-library-clocktower/+https://blog.sandrasays.com&hl=en&ct=clnk&cd=6&gl=us

Note that the date of the snapshot was just one month ago.. and the source reveals the version being used at that time:

<meta name="generator" content="WordPress 2.2.2" /> 

Another one of those “aha!” moments for those of us that are ‘involved’ in whats on our sites.

Its not secret among anyone that stays involved with this community that exploits for older versions of wordpress and some of its plugins are out there.

Thread Starter stickner
(@stickner)

16 years, 6 months ago

The script that ended up on my installation went in on a 2.5.1 clean install. I still haven’t tracked down where it came from yet, but I was trying a lot of different plugins, something that I will not do again hastily…

The header of the script says:
/* k1b0rg Doorway Loader v0.2
* This script download dors for request
* @author: Dobrota
* @contact: icq: htythfgj
*
* Good luck;)
*/

Have you seen this before? Or do you know a way to track it down?

I posted some info about the ad server here;
https://www.trstechnology.com/blog/index.php/k1b0rg-doorway-loader-v02/

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Advertising Script Exploit’ is closed to new replies.

Advertising Script Exploit

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics