Aral Balkan

Danny emailed me today to say that he'd noticed spam links on the SWX web site (thanks, man!) When I looked, I couldn't see anything. That is, until I looked at the source.

Somehow, someone managed to inject spam links and hide them using display:none. The actual code starts like this:

<u style="display: none">

And then includes the spam links.

I feel they may have gotten in through a vulnerability in the older version of Wordpress that the site is running. I am now in the process of upgrading it to the latest version (2.3.2) and having my web host check the servers.

In the meanwhile, though, I didn't want the bastards to gain another penny from having hacked my site so I whipped up a very simple Wordpress plugin that checks for and removes those links.

It's called Remove Hidden Spam and you can download it here (.zip; 718 bytes) in case you're affected by this also (Danny told me that Keith was hit by this recently too.) Just copy it to your plugins folder and activate it.

Comments

• [...] else first before attempting one (which, of course, is absolutely the worst thing you can do, as the recent spam hack on the SWX blog demonstrated so well). I used to dread doing the updates mainly because I just knew something would [...]

  by Upgrading to Wordpress 2.3.2 at Aral Balkan on 2008-01-13 18:32:17

• I have been attacked, too. I just upgraded from 2.3.2 to 2.3.3 because some of my readers informed me they couldn't subscribe. It turns out that there are hidden links after my footer that start with this font style="overflow: hidden; position: absolute; height: 0pt; width: 0pt;" I tried the plugin but unfortunately it didn't work :( I am getting desperate to the point where I want to wipe everything off and start from scratch again. I hate spammers.

  by Ben on 2008-02-13 17:31:33

• Seems like upgrading WP and changing the password has helped so far (knock on wood). But I might check out the plugin too.

  by Keith Peters on 2007-12-30 22:35:18

• In my case the spammed links were located in my theme's footer.php (!?)

  by Claus Wahlers on 2007-12-31 00:54:40

• If you have the means, I highly recommend checking out wordpress from their svn repo. Then when a new version comes out, an update is a simple 'svn switch' command away. Its harder to set up, but easier for always being up to date in the long run :)

  by Ash on 2007-12-31 15:02:02

• And suddenly Aral's pagerank was 7 again ;) Thx for the plugin and the post man! Best wishes for 2008 ;) Greets

  by Ronny on 2008-01-01 16:18:01

• @Claus: Intersesting -- did you have the theme editor enabled? @Andrei and @Ash: Thanks for the tips :) @Ronny: You're welcome + Happy New Year! :)

  by Aral on 2008-01-02 09:32:44

• It seems I have also fallen victim to this, but whats weird is my blog is up to date, so much for a perfect world... Thanks for the tips, it cleared it right up.

  by Matthew Keefe on 2008-02-16 20:05:49

• GAH! And i was wondering why my blog's pagerank dropped. Now i know. Bastards. Lesson learned. Thanks Aral ;)

  by Claus Wahlers on 2007-12-30 23:05:10

• Just a quick update: Having looked in the database it does look like they used an SQL injection vulnerability in Wordpress (in 2.1.2) to inject the code directly into the database.

  by Aral on 2007-12-30 23:07:06

• Hi Aral, we have been dealing with the similar issues on afcomponents.com/blog. There are security holes in at lest 3 of the previous versions of WP. After upgrading to the latest version be sure to disable the remote post and the theme editor. Cheers, Andrei

  by Andrei on 2007-12-31 18:46:11

• I added some lines to your code. I noticed my spammer was slightly different. So I replaced your single line with this: $content = preg_replace('/.*?/s', '', $content); $content = preg_replace('/.*?/s', '', $content); $content = preg_replace('/.*?/s', '', $content); $content = preg_replace('/.*?/s', '', $content);

  by Michael on 2008-05-13 08:38:43

• Well, crap it won't show the html, well anyway, I added one with display:none (no spaces and copied those two with single quotes instead of double quotes. I hope this makes sense. :)

  by Michael on 2008-05-13 08:40:12

• [...] none”) si vedono invece nel feedreader. Io almeno con google reader le vedo. Provo questo plugin, speriamo bene. Pubblico questo post anche per vedere se funziona. Non trovo nulla invece per il [...]

  by Cronachesorprese » Prova tecnica - Plugin on 2008-03-18 10:59:27

• Don't you hate spam to?

  by Mook on 2009-03-12 06:31:11