anoncobard

Coolgeee, was this code in addition to the bablooO spam HTML or instead of it?

I found one hole: a third-party theme wasn’t validating its arguments. I’ve confirmed that it was vulnerable to cross-site scripting (XSS) by appending javascript to a URL. Background:

https://codex.www.ads-software.com/Data_Validation
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

I added a line of input validation to the theme and sent the patch to the theme developers. Hole closed.

Now my burning question is whether that hole is the likely source of my intrusion or there are others. The symptoms we bablooO victims describe seem most consistent with an intruder being able to log into WordPress using the admin account. In practical terms is a javascript insertion in the URL really likely to result in interactive access to the WP Dashboard?

Sterling, when you say “it still seems to be happening” do you mean that you’re seeing new spam content added even after you upgraded to 2.8?

I saw in your ckon comment that you have the spam in your posts as well as in your RSS feed, it’s just that it’s invisible unless you view source. That’s one of the characteristics of this attack.

As near as I can tell from the discussion on ckon, some people are finding the spam inserted in their theme files (particularly footer.php, and particularly people who have writable themes folders and use the theme editor) while others are seeing it inserted into blog posts in their database. It sounds like you’re in the latter category.

You can see the extent of the damage to your database by using the WP Export feature (built right into WP, under Tools) to save your content as an XML file. Then load the XML file into a text editor and see how many posts the spam content shows up in.

Checking for damage to your themes or other WP files is trickier unless you’re comfortable with command-line tools like grep. If you’re not a command-line person you could still FTP your theme files down to your desktop and examine them in a text editor.

Please let us know if you find anything that might be useful.