abs-cbn chinese drama list,Free 10 million coins for Game of Thrones Slots today.Recharge Every day and Get Bonus up-to 50%!

sergio_101
(@sergio_101)

10 years, 8 months ago

I am trying to track down what appears to be a pretty widespread and serious vulnerability in either wordpress, or a configuration of word press.

For the second time in just a few months, I have had blocks of html injected into posts on my site. See [fn:1] for the exact text of what is being inserted.

This installation is currently running wordpress 3.9, which, although
is not the most current (the current version is 3.9.1), is still very much current.

The database server has the user accessing the database set to localhost only.

The most curious thing is, if you google any of these links as plain text, there is an abundance of pages linking to these pages. Each of the google hits on these is a wordpress site that seems to have suffered the same attack.

Looking at other sites subject to the same attack, it appears that the blocks injected into the sites are very similar.

The first time I ran across this, I found that a new user had been generated in wordpress, and that each of the edits were attributed to that user. In this most recent case, this has not happened.

The other curious thing is that in this round, the edits seem to have circumvented the revisions system.

As you can tell, the html inserted is not rendered on the page, but is clearly visible to google.

Let me know if anyone has any ideas.

* Footnotes

[fn:1]
[blog title=”From <div style=”position:absolute; left:-3535px;
top:-3231px;”>Takes product <a
href=”https://www.eewidget.com/loa/north-pharmacy-canada-lasix.html”>https://www.eewidget.com/loa/north-pharmacy-canada-lasix.html
of sides daily cured golfer <a
href=”https://secondnaturearomatics.com/xenical-cheap/”>xenical
cheap impressed told. Doesn’t it, <a
href=”https://www.theonlinehelpsite.com/north-american-pharmacy.html”>https://www.theonlinehelpsite.com/north-american-pharmacy.html
convinced redhead edge <a
href=”https://www.eewidget.com/loa/predizone-without-a-prescribtion.html”>https://www.eewidget.com/loa/predizone-without-a-prescribtion.html
treatment of t <a
href=”https://wildingfoundation.com/order-cialis-online-canada”>order
cialis online canada Anyways will: ever powder, <a
href=”https://www.streetwarsonline.com/dav/combo-packs-viagra-and-cialis.php”>https://www.streetwarsonline.com/dav/combo-packs-viagra-and-cialis.php
while would arrived more <a
href=”https://www.bakersfieldobgyn.com/best-legal-online-site-to-buy-viagra”>https://www.bakersfieldobgyn.com/best-legal-online-site-to-buy-viagra
brushes brushes. It’s bounds <a
href=”https://secondnaturearomatics.com/buy-novadex/”>https://secondnaturearomatics.com/buy-novadex/
give it not… Blemishes – know <a
href=”https://www.qxccommunications.com/cheap-propecia.php”>cheap
propecia it her WalMart big <a
href=”https://www.qxccommunications.com/varfendil-overseas.php”>varfendil
overseas deeply for products <a
href=”https://wildingfoundation.com/xenical-shipper”>https://wildingfoundation.com/xenical-shipper
known have Gel <a
href=”https://www.streetwarsonline.com/dav/generic-propecia-in-united-states.php”>generic
propecia in united states ago? With on <a
href=”https://secondnaturearomatics.com/do-some-aftermarket-viagras-work/”>inhouse
pharmacy biz skin on this cracks <a
href=”https://www.bakersfieldobgyn.com/non-prescription-canadian-viagra”>non
prescription canadian viagra injectables hair changed fairly <a
href=”https://www.bakersfieldobgyn.com/sildenafil-citrate-pfizer”>https://www.bakersfieldobgyn.com/sildenafil-citrate-pfizer
a not this them look <a
href=”https://wildingfoundation.com/alldaychemist-drugs”>mycanadian
pharmacy online trays in it watered <a
href=”https://www.theonlinehelpsite.com/baclofen-from-canda.html”>https://www.theonlinehelpsite.com/baclofen-from-canda.html
pregnant hours these and <a rel=”nofollow”
href=”https://www.eewidget.com/loa/cialis-online-canada-fast-delivery.html”>https://www.eewidget.com/loa/cialis-online-canada-fast-delivery.html
the Hilton’s bottle the crispy <a
href=”https://www.streetwarsonline.com/dav/buy-crestor-without-prescription-cheap.php”>order
clomid fast shipping anyone, elasticity new.</div> Our Blog”
category=”category-slug” item=”6″]

Viewing 2 replies - 1 through 2 (of 2 total)

Moderator James Huff
(@macmanx)

10 years, 8 months ago

It’s more than likely a corrupt theme or plugin adding these.

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

scotthaslinger
(@scotthaslinger)

10 years, 7 months ago

Sergio,

My company is on that list and it has been a nightmare
trying to resolve this issue for me as well.
Here is what you need to do.
Go to
https://www.google.com/webmasters/tools/home?hl=en
setup an account for your website if you do not already
have one. Open your account
click on Google Index
click on Remove URL’s
click on Create a new removal request
and you will have to delete every fake URL that points to
your site.
This is obviously after you remove the bug from your site.

Scott.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘[Priority] Possible WordPress Vulnerability’ is closed to new replies.

[Priority] Possible WordPress Vulnerability

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics