I have had a hair tearing hacked WordPress blog experience here over the last 2 days. I don’t know why, but it really knocked my knees out, and I am reeling to figure out why this has gotten to me on an emotional level. That even sounds silly seeing those words.
But I am not rolling over. Yet.
It all surface, like many things, in the act of doing something else. I left a comment Sunday on someone’s blog about something rather inconsequential, and got an email later asking me if I knew my blog was riddles with spam links.
Sure enough, I looked at the source code, and at the bottom, written with CSS to hide the display (but not hide from google) was a long list of every variation of PPC (pill/porn/casino) link one could imagine, maybe 120 of them.
It’s kind of like discovering someone you did not invite snuck in a window and shat all over your basement. Just for the kicks.
I had some ideas where to look, cause it happened before when I had my template files set with writable permissions (lazy so I could edit in WP), and sure enough, I could see in my header.php template file a PHP include statement (calling in code from elsewhere on my site) and then another line calling a function I knew did not belong. I got rid of those quickly.
I noted the date of when this was changed (9/1/2009) when also I recalled a big spike, way above my normal, in blog views. Here I thought it was something I wrote, when it was really someone launching blog spam form my site.
The path that it was reading its source from was bizarre, because it was added inside the wp-includes/js/jquery directory– another directory was added here and inside were PHP files that had code hidden by base64_encoding (it takes normal looking code, and renders it as a long string of random looking numbers/letters; PHP can actually execute this code that looks like gibberish by an eval() statement).
And there was another directory with something like 14 Mb of small text files, each one a few paragraphs of jumbled sentences and HREF links- it looked like the random stuff you get in spam blog posts. Jeez, this meant that someone was using my site to launch spam at others.
It was easy to see that this did not belong by comparing to the download archive of the latest WP.
I made sure there were no other things festering in my templates. I decided to delete all of the WP code files, and re-install them.
I was relieved when this was done, and my site no longer included secret spam.
But it returned a few hours later. Damn!
I started to suspect the WP-Super-Cache plugin (from a twitter tip); it was a writable cache directory and might be a place to hide malicious code. I got rid of that, reloaded the entire WP code, and it was clean again.
I also exported my database to see if anything awry was in there, and did a whole bunch of searches on things that could indicate spam. Nothing.
I switched my template, and the crap was still there, suggesting the cause was somehow being written into the core Wp code (because the spam appeared after the closing <html> tag- and if the template was not adding anything, it seemed like it would have to be the WP code or a compromised plugin- but because it went away when I replaced thee WP code, my hunch is that something was being backdoored to modify WP itself (I am guessing wildly).
I read a lot of blog posts like Old WordPress Versions Under Attack which was not seemingly the case, no hacked permalinks… (although it was 9/1 when I upgraded from WP 2.8.3 to 2.8.4).
This was really getting to me, as I was feeling powerless as someone remotely was taking over my blog. I got rather down about this, and honestly contemplated closing up the site, or maybe moving it to WordPress.com
Not yet. Another twitter link I got was Top 5 WordPress Security Tips You Most Likely Don’t Follow, and while I agree that some of them are just things to obscure things with a thin film, I employed most of the suggestions, including changing my FTP, database, and WP passwords (I only have one account and it ain’t “admin”).
So far, over the last 30 hours, the site has not been re-infected, yet I am still lacking a real indication of what happened. The malicious code I did find does not look like what was modifying my own blog.
And I am not about to feel any sense of victory here.
I admit, that there are a lot of hackers, including the one who peed on my site, are a lot more technically savvy than me in these areas, I’d rather focus on silly pictures and snarky prose.I know that. But this whole experience did rock my own confidence a lot (maybe bring it to a real level) and has left a nasty taste in my mouth.
Still, there is a large gaping silhouette of s shadowy powerful figure who is at the heart of this.
It is a dark hole with the shape of Google.
Google has built a successful, sprawling empire based on the elusive gold coin of the realm, link rank. Google provides the incentive that drives shady businesses to hire the 6 legged critters that crawl around and in try to inject unwanted links to the pill/porn business into the sites of innocent bystanders.
And Google continues, in my eyes, to do absolutely nothing to help out the independent hosted blogger who spends inordinate amount of time battling spam or just giving up.
Oh yeah, “no follow” was really effective. Yep. Google with all their super human brain power cant figure out a way to dis-incentivize “people” who game link rank by blasting links in every open web form on the net.
And no one holds their brightly colored logo to the fire for this.
Google- I blame you for the last two days of hell trying to oust a spam hacker form my site, and I have every reason to believe I cannot rest at all.
Google- I lift my leg on you.
The post "Dead Blog Dog" was originally pulled from under moldy cheese at the back of the fridge at CogDogBlog (http://cogdogblog.com/2009/09/dead-blog-dog/) on September 22, 2009.