• I’ve just been viewing the HTML source being generated by a WordPress 2.8.6 site that I maintain and noticed a bunch of unexpected spam links appended right at the end. For example:

    <style>#tutbylvasya{position: absolute;overflow: auto;height: 0;width: 0}</style><li id=tutbylvasya> <a href="https://www.voice-exp.com/poteen.php?fry=boot-camp">boot camp</a></li><li id=tutbylvasya> <a href="https://www.voice-exp.com/poteen.php?fry=ting-tings">ting tings</a></li><li id=tutbylvasya> <a href="https://www.albanstephen.com/mogul.php?fug=john-patrick-shanley">john patrick shanley</a></li><li id=tutbylvasya> <a href="https://www.ianlee.co.uk/grison.php?sn=barry-fry">barry fry</a></li>

    It’s a very similar scenario to the one described here by the maintainer of a Joomla based system:

    https://expressionengine.com/forums/viewthread/141554/

    Just starting to work through the problem now to see which files may have been affected and identify if the site was compromised via a plugin or part of the core.

    Anyone else experienced similar issues?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter ballinascreen

    (@ballinascreen)

    Already on it. Upgraded to 2.9.1 yesterday. As it turns out, only the index.php file in the root directory of my installation had been tampered with. Still trying to track down the initial point of entry though.

    Anything suspicious in your db? It’s also possible that the point of entry was via something else on the server. Doubly so if it’s a shared server.

    Thread Starter ballinascreen

    (@ballinascreen)

    As far as I can tell, the database is completely untouched. No unexpected iframes, hidden visibility CSS, noscripts or base64 decoding going on. Thankfully I keep regular backups of the database, and its not a high volume/activity website, so even going back to a snapshot a day or so old won’t be a big issue.

    As a further precaution, I’ve also upgraded all the plugins just in case they represent the attack vector being used by the bad guys.

    As far as alternate access – well, thats a possibility since it is a shared sever. I’ve changed the FTP password and I’ll be keeping a close watch on the site to see if the infection returns.

    Was just curious to see if this is a wider issue… I guess only time will tell…

    Moderator t-p

    (@t-p)

    Hi everybody,

    As it turns out, only the index.php file in the root directory of my installation had been tampered with.

    Is there anyway to secure this index.php?

    Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Spam Links Injection’ is closed to new replies.