Massive Spam attack to WordPress Themes

  • Hi,

    Lots of blogs (included mine, for which I also ask help) are being attacked by spam. When you access as a search engine robot, such as Googlebot, Msn or Yahoo slurp, you can see how lots of blogs have lots os spam links in their themes, sometimes before the <html>, sometimes in a div… and it appears even in the WP Admin!

    Look at the cached version of the websites here:
    https://www.google.com/search?hl=en&q=wordpress+lolitas+autocad

    I have last WordPress version, with correct CHMOD on my files, and those links doesn’t appear in my blog files, nor in the database.

    Please help!

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter davilac

    (@davilac)

    Sorry, the spam was in the Live Comment Preview 1.7 plugin.

    That spam is NOT restricted to any particular plugin or file within WordPress. And it is NOT just a WordPress issue. It is the result of very specific code being written to ANY page it locates that chmod’d insecurely. The malicious part of the script is base_64 encoded to make it harder for the average user to detect whats being done.

    Ive discussed it on my own blog and provided some example links to sites that are running WordPress and some that are NOT running WordPress that have been affected.

    Ive also identified the malicious script for anyone that is affected and doesnt know what to look for.

    For what it’s worth, I recently helped someone remove this from their blog, and the script had been written to his wp-config.php. It (his wp-config.php) was chmod’d 666.

    Two links:

    explanation: https://www.village-idiot.org/archives/2006/11/13/if-only/

    contains 2 examples of sites that are NOT running WordPress being affected:
    https://www.village-idiot.org/archives/2006/11/14/more-if-onlys/

    If anyone ever wondered why am I such a bitch about security, this is why.

    PS: regarding the cached copies of the sites I linked to within my own posts: I contacted 2 of the authors via email. I recieved a response from one that had no clue what I was showing her, or what to do about it. When I checked her site later in real time, she had reinstalled her blog completely.

    Did she make any changed to insure that it not happen again? I dont know, I never heard from her after my second email to her.

    The other person I emailed never replied. Too busy to keep up his site, to busy to read his emails too, I guess.

    And just one more example of the kind of people that piss me off.

    It is foolhardy to leave files and directories with world-writable permissions.

    NO 666.

    NO 777.

    And if you must do this, if you absolutely have to edit something via the admin area, you NEED to chmod the file(s) back to something more secure after you are done with your edits.

    You would NOT go to bed with your front door unlocked, leaving world writable files unattended is the Internet equivalent of that behaviour.

    Thread Starter davilac

    (@davilac)

    HI,

    thank you, but still I don’t understand why. The infected file (yeah, now I found encoded code) was 644, as all files in all my ftp. ??

    welp, Ive downloaded that plugin from dev.wp-plugins.org (where it lives) and theres no malicious code in it.

    perhaps you had it chmod’d differently at some point, or perhaps you downloaded that plugin from someone or somewhere and it had been previously added.

    I really cant say.

    Here is a script I wrote and tested to set the perms to
    644 for files and 755 for directories
    Let me know if an issue is found..

    ========= cut below ==========
    #!/bin/sh
    # save in your wordpress dir, run from there.
    # Script to lock down wordpress
    #
    for file in 'backtick'find . -print | grep -v htaccess'backtick'; do
    # If its a file, 644 perms
    if [ -f $file ]; then
    chmod 644 $file
    fi
    # if its a dir, 755 perms
    if [ -d $file ]; then
    chmod 755 $file
    fi
    done
    =========== cut above =============
    ** Replace ‘backtick’ with the actual backtick character – how do I show this in this post?

    typing 3 backticks here – it will show the middle one ??
    `

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Massive Spam attack to WordPress Themes’ is closed to new replies.