eweibust

Otto42, Thanks a MILLION for all the help. Is there anything else I can provide that would be of any help? If so, please let me know.

Erik

One more update. I have renamed the link.php file so hopefully this stops the attacks while the WordPress people can investigate.

Erik

Otto42,

I believe I’ve done everything correctly with the fix. Here is what I’ve done.

-rw-r–r– 1 erikweibust pg928284 2506 Oct 16 18:27 link.php
-rw-r–r– 1 erikweibust pg928284 2824 Jun 1 19:53 link.php.bak

I’m not sure what the best way is to show you what I’ve done other then by showing you the above ls -l.

What do I need to do now?

Erik

Thanks Otto42,

I hope you’re right on me incorrectly applying the fix. I’ll check when I get off work.

I downloaded a zip file. Unzipped it. Scp’ed the file to my server. Renamed the existing file to link(s).php (not sure, are there two, both link and links?). Lastly, I copied the newly uploaded file to wp-admin dir.

Erik

I hate to do this…. but the fix did not work. I woke up this morning and had 10 more spam blogroll links. ??

I guess that I should just go ahead and rename links.php and wait for another fix.

One question, if I rename links.php what do I lose? Will I still have a blogroll, but won’t be able to update it? Or, will the blogroll completely disappear from my sidebar?

Thanks…

Guys, a big fat THANK YOU, to everyone, for all the help. I’ve applied the new link.php to my site and things appear to be resolved.

If I have any other problems I’ll let you know.

Thanks…
Erik Weibust

Great feedback here. Thanks!

I have two questions.

1. How does one add a bug fix to an install? (sorry for not googling this before asking question)
2. Do I still need to rename my links.php if I install this bug fix?

Otto42, thanks for the tip. I will try that as soon as I get home tonight (my company proxy blocks me from ssh’ing into my box).

One other thing. My host, Dreamhost, said that there couldn’t be anything wrong on the mysql box, but they specifically said to NOT USE the plugins SimpleTags and Subscribe to Comments, so I have disabled those.

So as of right now, the only change I’ve made is disabling all 3rd party plugins. Tonight I will rename my link.php file.

Thanks… Erik Weibust

Here is my update…

I changed my db and ssh passwords and I’m still getting the blogroll spam. I’ve emailed the [email protected] address.

I’m kind of at a loss of what to do next. I would love any and all suggestions. I’m not about to shut my blog down after 4+ years of postings, but I REFUSE to let it be hacked like this.

Is it possible to pull out my posts and comments and start over knowing I haven’t been hacked? I have no problem with exporting my entrites/content and then deleting every file/db on my host and starting fresh.

Erik

whoami, thanks for the quick respone.

I am absolutely, 100%, sure the links were added after the upgrade. As a matter of fact. I just now deleted the links. I bet within the next couple hours the blogroll spam links will be back.

I want to make sure I’m clear on what’s happened.

1. I *was* using WP 2.1
2. Somebody added a new user to my blog
3. I deleted the user
4. Somebody added blogroll spam to my blog
5. I deleted the blogroll spam
6. Somebody added the blogroll spam, again
7. I upgraded my blog to WP 2.3
8. After the upgrade the blogroll spam was still present so I removed
9. The blogroll spam was added again.

I hope that helps clear up the timeline.

I’m about to change my db and ssh password, so maybe that will help, otherwise, I’m expecting to see the blogroll spam.