I had my good buddy Matt call me up last night. He’s the one I had set up a WordPress install for a couple months ago. It seems that someone hacked his hosting account/WP install and inserted hundreds of hidden porn links all over his site. For some reason, surfing the page on his Blackberry revealed them, probably since the phones browser didn’t understand the “u style=”display:none” tags. The links were inserted into both the individual pages (single.php) and the footer (footer.php) for every page resulting in a ridiculous amount of links per page. I looked like only the default (kubrick) wordpress theme was affected until I checked out the splash page for the entire site and found them there as well. I had thought it might have been a wordpress exploit that allowed someone to change the themes code, but having it in the splash page (index.html) means they would have had FTP access.
I cleaned up the mess as best I could, changed all their passwords to 12+ characters and I’ll install WP 2.5 tonight just in case. I’ve got the dates/times that the files were changed but I haven’t pulled the access logs yet to cross-reference. I have a pretty good idea what site it came from though since all the links share the same domain and the id= tags are all the same as well.
I’d like to find out exactly how it happened so I can try and prevent it from happening again. Now, with the index.html page hacked, I need to find out if this is a super serious WP exploit or if there was a security failure at the host level. If there is I’m going to recommend they find another host ASAP.
If any of you guys have heard of something similar happening and have any clues or insight, please pass it along. The website the links point to isn’t a porn site but I think they might have had their RSS feed hacked, because all the links are things like domain.com/rss.php?something_adult_sounding.
What the hell is wrong with the universe? Hacking a site to make porn links and then hacking another site to link to those porn links, all to what? Increase your Google rank? This shit has got to stop. Its destroying the interwebs.
Sounds like the bug from a couple versions ago where you could create a login and edit any page/post through an exploit in the XML-RPC interface.
Would that allow them access to the index.html, which is a whole level above the blog though? Their structure is domain.com/blog/, not in the main dir. And they’re running 2.3.3. I updated it for them a little while back. It’s probably related, I mean, that would definitely explain the theme and the posts, but it’s the index I’m more worried about. I think that might have been a more serious breach.
do a search for “wordpress footer injection” and “wordpress header injection” to read more about it. it may have been from a compromised plugin as well…
Wow. I didn’t realize it was so prevalent. There’s a special ring of hell reserved for spammers.
also:
http://php-ids.org/