SPAM Inserts into Blog Posts

  • jberkowitz

    (@jberkowitz)


    17 years ago

    This HIDDEN code is being somehow automatically inserted into the CODE of my posts after I save my post and is then sending out porn links via the RSS feed.

    <font style=”overflow: hidden; position: absolute; height: 0pt; width: 0pt”><!–4848–>

    How can I stop this from happening??

Viewing 8 replies - 16 through 23 (of 23 total)

  • There is more to this than just the insertion of code into your post. In the root of your site structure you may well find, as I did today, hqc.php.

    Your site will then be used within the code that is posted onto other’s sites.

    There are a now a whole load of sites with links hqc.php on my site, litterally hundreds of them.

    I’ve deleted it. I’m not a php coder so can’t understand what it is doing, but if anyone else wants to have a look I’ve kept a copy safe (off my site).

    and so Im inquisitive..

    oak-grove.

    I see joomla, I found your wp install.

    and where was the file located?

    These posts are tedious to me. having upgraded 2 previously hacked blogs is as many days, and seeing the results, Im suspicious of all of these other upgrades. meaning, I seem to have a process that works, and having upgraded these other blogs, Im not seeing the new installs being hacked, and they were extremely hacked before I got to them.

    One thing I think ppl are missing is this..

    Google for that file name. One of the most popular sites that comes up is this one:

    https://www.dreamit.co.uk/

    terribly hacked, a wonderful example of an irresponsible, errant webmaster that ought to have his Internet drivers license revoked (if you ask me).

    What version is installed on that site:

    <meta name=”generator” content=”WordPress 2.1″ />

    What interesting exploits are there for that particular version?

    Well, at the very least, there is one that successfully grabs your administrator password.

    Now im going to go out on a limb, and suggest that that person probably wouldnt even know they were hacked..and that during any upgrade process, would see no reason to change their administrator password.

    So hey, okay! They upgrade, but guess what, Szevegni from Croatia still has that password — despite the fact that the install has been upgraded.

    My point?

    That for a while I was entertaining the idea that there was still a security issue in 2.3.3. I no longer think that. Ive had recent experiences with three separately hacked blogs in the last week, one of which included involving 2 WP devs, and I honestly think these are cases where ppl had previously compromised installs, and they simply have not secured their sites to the degree necessary following that compromise.

    I have also “seen” (logged all the variables sent to the file being called) the spam injection exploit in action, and have tested it against a 2.3.3. install — it doesnt work.

    If 2.3.3 is insecure in any fashion, its not related to these spam insertions.

    Just food for thought.

    And honestly, anyone running Joomla.. ought to run for their lives.

    and heres a real funny, one of the blogs I just updated.. thats NO LONGER seeing successful hacks.. there was an attempt to insert links ..

    I have logging set up on the site so I can capture “stuff” right.. You dont even need to tell me where that file was located, because YOUR site just popped up .. the hackers were trying to insert links back to YOUR site, and guess what..

    that file, was in the root of your joomla install, not your WP install.

    That doesn’t suggest anything other than it might not be a simple WP hack, it might be a PHP issue, it might be a permissions issue, lord knows. I can say that Ive found the same on a 2.1.x blog and if I remember correctly a 2.2.x install as well, and there are ppl proclaiming from the rooftops that 2.3.3 is suspectable as well. Of that, Im not convinced.

    None the less, Im sure this will look familiar to you.

    <a href=\"https://www.fulwoodfmc.net/hqc.php?download.htm\">spyware adware remover download</a>
<a href=\"https://www.fulwoodfmc.net/hqc.php?foot.htm\">girls licking feet</a>
<a href=\"https://www.fulwoodfmc.net/hqc.php?sylvia.htm\">silvia saint raped</a>
<a href=\"https://www.fulwoodfmc.net/hqc.php?olsen.htm\">bree olsen dildo</a>
<a href=\"https://www.fulwoodfmc.net/hqc.php?machine.htm\">old machine shops chicago</a>
<a href=\"https://www.fulwoodfmc.net/hqc.php?slut.htm\">backstabbing sluts</a>
<a href=\"https://www.fulwoodfmc.net/hqc.php?throat.htm\">white throat monitor</a>
<a href=\"https://www.fulwoodfmc.net/hqc.php?slut.htm\">slut slave</a>
<a href=\"https://www.fulwoodfmc.net/hqc.php?orgy.htm\">free orgy videos</a>

    They failed at inserting these and about 100 other links into a freshly upgraded 2.3.3 install that I personally secured.

    btw, oak-grove, if you are interested in getting to the root of the problem.. I can help you in doing so.

    All I ask is that any data collected stay between you and I, and if it turns out to be an issue with a current version of WP, the WP devs.

    contact me at whoo (((((@))))) village-idiot.org if you are up to it.

    I think that I am now clean too, but I missed hqc.php because it as in the root structure, rather than in the blog subdirectory which I had cleaned.

    I only noticed it when the technorati feed for the domain started going bonkers with loads of sites pointing to my domain, all referencing hqc.php, and there have been hundreds of them. I’ve checked through a good number of them and not one of them has been 2.3.3, most have been much older. A lot of them also seem to be K2 style (which mine used to be), but that could just be because K2 is popular.

    So I’m almost certain that hqc.php is left over from before the 2.3.3 upgrade and that the site is now clean and that 2.3.3 is secure.

    I also changed all of my passwords to be sure that they were safe.

    btw, oak-grove, if you are interested in getting to the root of the problem.. I can help you in doing so.

    Im not talking about cleaning up your site — im talking about figuring out how they uploaded the files .. but no worries, theres plenty more fish in the sea (so to speak).

    hey, guys –

    I’m back. And a little confused. I took your advice and thought everything was fixed but then my friend just emailled me this morning to say he was reading the feed of my site and there is a ton of spam in a post again .. I looked at this post and if you do view source there’s a bunch of spam links – https://www.rachelleb.com/2008/03/20/whats-the-temp/

    what is the fix you have found?

    thanks for your help.

    Rachelle

    ive blogged about what I have done with the previously hacked installs that I have taken care of ..

    rather than repaste:

    https://www.village-idiot.org/archives/2008/03/19/wordpress-spam-inject-honeypot-2/
    https://www.village-idiot.org/archives/2008/03/18/wordpress-spam-inject-honeypot/

Viewing 8 replies - 16 through 23 (of 23 total)
  • The topic ‘SPAM Inserts into Blog Posts’ is closed to new replies.