Spam injection hack: Upgrade and tighten WP now!

Ms Naughty · 2008-04-17, 08:09 AM

Hi guys
Well, ronnie warned me here: http://greenguysboard.com/board/showthread.php?t=46438
and I did listen, but I was just putting it off for a few days. Too late.

I've just spend a couple of hours working out wtf happened to my blog and it turns out I was hit by something called a "spam injection hack."

Info here:
http://www.theinternetpatrol.com/wor...spam-injection

Essentially, if you find all your plugins suddenly disabled and you're suddenly getting a bunch of comment emails - do something quick!

Here's the WP boards info about how to fix it:
http://wordpress.org/support/topic/154571?replies=19

Also this one:
http://wordpress.org/support/topic/163752?replies=11

I upgraded to 2.5 but it doesn't necessarily fix it and you may need to start deleting injected files from your db.

So I'll link to these pages while I'm here:
http://www.mattcutts.com/blog/three-...-installation/
http://blogsecurity.net/

Now I feel so naked and vulnerable...

|shocking|

ronnie · 2008-04-17, 04:46 PM

Sorry to hear it, I know your pain and frustration. Seems there are assholes that think they are so cool, or think it's fun to mess up peoples businesses.

I don't understand what they get out of it, guess to show off their skills? I probably don't get it because I am not a hacker. The one that got me the last couple times, was just some Weird Islamic message. Not like they were making money off the hack.

Looks like I need to do some more reading.

Ms Naughty · 2008-04-17, 07:39 PM

The idea was to allow spam comments on the blog, because the hack disables akismet. But I have moderation turned on so none of the comments got through.

It turned out that I did have to edit my db to remove the offending file, it all seems to be OK now.

But an Islamic hacker? How weird.

God, save me from your followers!

Bill · 2008-04-17, 08:34 PM

Damn - that might explain why I'm suddenly seeing more spam comments in moderation in one of my mainstream blogs.

I was wondering why akismet wasn't killing the stuff.

What was the offending file? is it always the same file?

Ms Naughty · 2008-04-18, 12:45 AM

I'm not sure if it's the same thing. I went from no comments at all to 30 in one hour, all with multiple links... it just took a while for me to work out that something wasn't right.

To fix the db you need to browse through wp_options. Right down the bottom you might find an active_plugin (or in my case, deactivated_plugin) with a name like:
a:1:{s:5:./././././././././././././././././././././tmp/upl52653.jpg

Delete it.

The you might want to go back and activate your plugins one by one to see if the posting process works.

Not sure if it's always the same file, but it may be something similar.

Anyway, this is the topic to read:
http://wordpress.org/support/topic/154571?replies=19

Bill · 2008-04-18, 03:56 PM

Well, to me it really feels like the same thing - just as you describe - suddenly going from no spam to 50 a day in moderation, stuffed with dozens of links.

I haven't dared to try a new post - they say it will crash the blog, by appending a huge spam at the bottom of each post.

So, you went into the database itself and deleted this odd entry?

And you upgraded to the latest version first?

Thanks for the info. Good catch.

Ms Naughty · 2008-04-18, 08:48 PM

To begin with I thought it was because there'd been a php upgrade on the server, so we fiddled with that first. Then I upgraded to WP 2.5 and when it didn't work I went looking for another answer, which lead to the info about the hack.

It does sound like you've got the bug.

I'm not sure if upgrading first or later will make any difference. Shutting down the plugins (except maybe akismet) and then checking the db may be the way to go. If it still doesn't work... I'm not sure. I was OK after that.

ronnie · 2008-04-19, 12:23 PM

So, it seems the only possible solution or only thing that might help is to disable akismet? That's how they get in right? Curious how they disable a plug-in from the out side. Or I did'nt read enough..

Bill · 2008-04-19, 04:27 PM

Well, I found and deleted that entry in the DB, and teh flood of comment spam instantly stopped - and I'd been getting 10 or 20 an hour.

I haven't updated WP yet, but should get to it tonight.

akismet was listed as not activated, as were dofollow and a few other minor plugins - no plugins were activated when I checked.

akismet seemed to crash when I activated it - white screen with error messages - but the blog behaved fine afterwards, and no spam.

I'm hoping an upgrade will make teh blog healthy. Guess i should tighten up the security a bit too, using matt cutts suggestions.

Ms Naughty · 2008-04-20, 02:07 AM

Ronnie, I'm not sure how they get in. I was running 2.3 and I must admit my security wasn't too hot so maybe it was just an automated hack. I'm not sure that turning off Akismet will stop it. And deactivating it is their main goal anyway.

And Bill... damn. It's good you've fixed it. I'm glad I posted about this because it's been useful to someone at least. I wonder how many other people have had this happen in the last couple of days.

Bill · 2008-04-20, 05:15 AM

Ha ha ha - they just got one of my porn blogs.

At least I know what to do now

I've got some work to do.

2008-04-17, 08:09 AM	#1
Ms Naughty old enough to be Grandma Scrotum Join Date: Aug 2003 Location: Australia Posts: 1,408	Spam injection hack: Upgrade and tighten WP now! Hi guys Well, ronnie warned me here: http://greenguysboard.com/board/showthread.php?t=46438 and I did listen, but I was just putting it off for a few days. Too late. I've just spend a couple of hours working out wtf happened to my blog and it turns out I was hit by something called a "spam injection hack." Info here: http://www.theinternetpatrol.com/wor...spam-injection Essentially, if you find all your plugins suddenly disabled and you're suddenly getting a bunch of comment emails - do something quick! Here's the WP boards info about how to fix it: http://wordpress.org/support/topic/154571?replies=19 Also this one: http://wordpress.org/support/topic/163752?replies=11 I upgraded to 2.5 but it doesn't necessarily fix it and you may need to start deleting injected files from your db. So I'll link to these pages while I'm here: http://www.mattcutts.com/blog/three-...-installation/ http://blogsecurity.net/ Now I feel so naked and vulnerable... \|shocking\| __________________ Promote Bright Desire

2008-04-17, 04:46 PM	#2
ronnie Wheither you think you can or you think you can't, Your right. Join Date: Jun 2004 Location: midwest Posts: 2,274	Sorry to hear it, I know your pain and frustration. Seems there are assholes that think they are so cool, or think it's fun to mess up peoples businesses. I don't understand what they get out of it, guess to show off their skills? I probably don't get it because I am not a hacker. The one that got me the last couple times, was just some Weird Islamic message. Not like they were making money off the hack. Looks like I need to do some more reading. Last edited by ronnie; 2008-04-17 at 04:49 PM..

2008-04-17, 07:39 PM	#3
Ms Naughty old enough to be Grandma Scrotum Join Date: Aug 2003 Location: Australia Posts: 1,408	The idea was to allow spam comments on the blog, because the hack disables akismet. But I have moderation turned on so none of the comments got through. It turned out that I did have to edit my db to remove the offending file, it all seems to be OK now. But an Islamic hacker? How weird. God, save me from your followers! __________________ Promote Bright Desire

2008-04-18, 12:45 AM	#5
Ms Naughty old enough to be Grandma Scrotum Join Date: Aug 2003 Location: Australia Posts: 1,408	I'm not sure if it's the same thing. I went from no comments at all to 30 in one hour, all with multiple links... it just took a while for me to work out that something wasn't right. To fix the db you need to browse through wp_options. Right down the bottom you might find an active_plugin (or in my case, deactivated_plugin) with a name like: a:1:{s:5:./././././././././././././././././././././tmp/upl52653.jpg Delete it. The you might want to go back and activate your plugins one by one to see if the posting process works. Not sure if it's always the same file, but it may be something similar. Anyway, this is the topic to read: http://wordpress.org/support/topic/154571?replies=19 __________________ Promote Bright Desire

2008-04-18, 08:48 PM	#7
Ms Naughty old enough to be Grandma Scrotum Join Date: Aug 2003 Location: Australia Posts: 1,408	To begin with I thought it was because there'd been a php upgrade on the server, so we fiddled with that first. Then I upgraded to WP 2.5 and when it didn't work I went looking for another answer, which lead to the info about the hack. It does sound like you've got the bug. I'm not sure if upgrading first or later will make any difference. Shutting down the plugins (except maybe akismet) and then checking the db may be the way to go. If it still doesn't work... I'm not sure. I was OK after that. __________________ Promote Bright Desire

2008-04-17, 08:34 PM	#4
Bill Selling porn allows me to stay in a constant state of Bliss - ain't that a trip! Join Date: Apr 2003 Posts: 3,914	Damn - that might explain why I'm suddenly seeing more spam comments in moderation in one of my mainstream blogs. I was wondering why akismet wasn't killing the stuff. What was the offending file? is it always the same file?

2008-04-18, 03:56 PM	#6
Bill Selling porn allows me to stay in a constant state of Bliss - ain't that a trip! Join Date: Apr 2003 Posts: 3,914	Well, to me it really feels like the same thing - just as you describe - suddenly going from no spam to 50 a day in moderation, stuffed with dozens of links. I haven't dared to try a new post - they say it will crash the blog, by appending a huge spam at the bottom of each post. So, you went into the database itself and deleted this odd entry? And you upgraded to the latest version first? Thanks for the info. Good catch.

2008-04-19, 12:23 PM	#8
ronnie Wheither you think you can or you think you can't, Your right. Join Date: Jun 2004 Location: midwest Posts: 2,274	So, it seems the only possible solution or only thing that might help is to disable akismet? That's how they get in right? Curious how they disable a plug-in from the out side. Or I did'nt read enough..

2008-04-19, 04:27 PM	#9
Bill Selling porn allows me to stay in a constant state of Bliss - ain't that a trip! Join Date: Apr 2003 Posts: 3,914	Well, I found and deleted that entry in the DB, and teh flood of comment spam instantly stopped - and I'd been getting 10 or 20 an hour. I haven't updated WP yet, but should get to it tonight. akismet was listed as not activated, as were dofollow and a few other minor plugins - no plugins were activated when I checked. akismet seemed to crash when I activated it - white screen with error messages - but the blog behaved fine afterwards, and no spam. I'm hoping an upgrade will make teh blog healthy. Guess i should tighten up the security a bit too, using matt cutts suggestions.

2008-04-20, 02:07 AM	#10
Ms Naughty old enough to be Grandma Scrotum Join Date: Aug 2003 Location: Australia Posts: 1,408	Ronnie, I'm not sure how they get in. I was running 2.3 and I must admit my security wasn't too hot so maybe it was just an automated hack. I'm not sure that turning off Akismet will stop it. And deactivating it is their main goal anyway. And Bill... damn. It's good you've fixed it. I'm glad I posted about this because it's been useful to someone at least. I wonder how many other people have had this happen in the last couple of days. __________________ Promote Bright Desire

2008-04-20, 05:15 AM	#11
Bill Selling porn allows me to stay in a constant state of Bliss - ain't that a trip! Join Date: Apr 2003 Posts: 3,914	Ha ha ha - they just got one of my porn blogs. At least I know what to do now I've got some work to do.