is this some new spam attack?

  • Resolved nothinghappens

    (@nothinghappens)


    16 years, 6 months ago

    I’ve been looking through the forums, googling my butt off, and can’t find anything that describes what I’m experiencing. And I need help getting rid of it.

    A while back one of my posts got compromised with spam — not in the form of a comment, or the post itself being edited, but rather this: the posts showed up normally on home page, but when you click a post title to go to the individual post (say, to leave a comment) you get a spam page. Not a bunch of spam links inserted into the post/page content, mind you, but a completely different web page hawking cheap drugs. However the URL is still the same URL as normal to view the post. This doesn’t start happening up right away after publishing the post, but some time a little later.

    The first time it happened, I figured it for a one-off deal, and promptly deleted the post and just copied its contents into a new post. But yesterday it happened again, so I thought I’d better take new measures.

    First, I was long overdue for an upgrade anyway (was still using WordPress 2.0) so I installed the automatic upgrade plugin and upgraded to the latest. Then I changed my user password and ssh/ftp password at my web host. Then I posted to the blog saying, in effect, “sorry about the spam thing, but I went ahead and did this and this and hopefully it won’t happen again.”

    This morning I find out it happened again — to that very post:

    https://nothinghappens.net — the home page, post looks normal
    https://nothinghappens.net/?p=316 — holy crap wtf

    Here are some more interesting details I’ve dug up: If you add a trailing / to the URL you get the post again instead of the spam site. Check it out: https://nothinghappens.net/?p=316/ However, before you tell me to check my .htaccess — I don’t have one. Also, I looked at the post’s record in the database via phpMyAdmin and nothing’s been done to it there.

Viewing 5 replies - 31 through 35 (of 35 total)
  • Thread Starter nothinghappens

    (@nothinghappens)

    Ivovic: you don’t know that I don’t know, and you don’t know that I haven’t checked. In fact, while hunting down the problem this morning, I decided to systematically check the permissions on every file and folder in my wordpress install, and correct any that were more permissive than they needed to be (a small number, but there were some). Later after finding the issues in wp-config and the header and footer files in my theme, I decided to also check modified dates. Anything whose date was not either last night at the time I did the automatic upgrade, or February 25 when I first installed to this server (copied from a previous installation elsewhere) I viewed the contents of. Since I’ve read or at least skimmed much of this code before (trying to fix a problem, wanting to modify some behavior, or often just out of curiosity — I’ve been using WordPress for about 5 years in all) I think I can usually identify anything out of sorts.

    Telling people to keep up on security updates is excellent advice, and I think my issue today is a good illustration of what can happen when you don’t, but you could definitely stand to be nicer about it. People listen better that way.

    On the other hand, doing an upgrade was a terribly unwieldy process for most users, particular those less technically inclined than we, before the automatic upgrade plugin was invented. I reiterate my kudos and gratitude to its creators.

    I think though, if you’re technically savvy enough to deal with doing a database backup/restore and everything else involved in doing a complete wipe of the site (or an upgrade, back before the auto upgrade plugin), you’re probably also savvy enough to poke around the code, use some things like grep and diff, and look at permissions and timestamps, so that you can fix the problem right where it is, rather than wiping out all the nifty customizations to the theme and everything else that you have most likely put a lot of work into. My opinion. Yours obviously differs, and I’ve heard it now, so you can stop beating me over the head with it any time you like ??

    Does an Apple II in 1985 count as having used a command line before it was cool? How about Ultrix in 1993? Not meant as an attack, just as defense ??

    my my my..

    What does anyone think of the suggestion of setting the permissions of config.php to 640?

    The same reason it’s not suggested for other files. Pointing out that it contains a password.. yes and?

    There are 2 scenarios:

    1. bring it up in a browser, what do you see? You better see a blank page, or you need to 1.) get a new host, or 2.) you need to stop trying to be an uber-leet linux wannabee, and learn how to admin a server properly.

    2. Another user on the server attempts to read the file. On a properly configured box, that’s not how thing works. Just like you cannot read other users files, they cant read yours. If thats not the case, you need to 1.) get a new host, or 2.) you need to stop trying to be an uber-leet linux wannabee, and learn how to admin a server properly.

    https://www.security-express.com/archives/bugtraq/2003-02/0135.html

    The only real instance where a wp-config.php is going to be vulnerable is in the case of of a complete failure of PHP, OR in the event of a server side glitch where PHP is (accidentally) disabled –> apache 2.0 actually uses a php.conf that is included within httpd.conf, and it is possible to accidentally comment out that include, causing PHP not to be available. I’ve done that, by the way.

    If thats a concern there are a couple very simple ‘fixes’ — 1.) a mod_access rule to disallow that file from being called directly, 2.) moving the most important bits, inside that file, out of web_root (something I have done, but have been even tricker with since I have my own server)

    Yeah, if I had lots of time on my hands ..

    You spent a lot of time here arguing for someone without a lot of time, but anyway…

    the timestamps thing is great for finding compromised files.

    keyweb.de is evil, if you have your own box, or control of your routing or iptables, nullroute them or drop the packets. you wont miss anything.

    Whoo is gonna be so disappointed…

    ??

    Thread Starter nothinghappens

    (@nothinghappens)

    re: chmod 640 wp-config.php : Well, that’s why I asked for input on the subject ?? Thanks.

    To the mod… Please do not delete the thread, but pruning the non technical posts would be helpful for those of us who are trying to remedy this attack.

    I am trying some other things and will post any findings.

    Best regards,

    Bill

    Wow, this was a very entertaining thread. ??

    Question for the mods-can this exploit also put other non-WordPress files at risk? I ask because I don’t even know how the hack works. Thanks.

Viewing 5 replies - 31 through 35 (of 35 total)
  • The topic ‘is this some new spam attack?’ is closed to new replies.