Dammit!!!! I HATE SPAMMERS MORE THAN ANYONE ON EARTH! I honestly, 100% mean it when I say that I want to KILL spammers. You guys are laughing right now… “hehehe. Here goes that crazy John P. with another rant about spammers. Aww, he’s just kidding!” No! I am an ex-Marine, I own guns and knives, and I’m begging a spammer to show up at my house so I can do horrible things to him!!!! GRRRRR!!!!!
Today I got an email from Google as follows:
Dear site owner or webmaster of onemansblog.com,
While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/support/webmasters/bin/answer.py?answer=35769&hl=en. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.
The following is some example hidden text we found at https://onemansblog.com/:
calendar acrobat download wcc adobe’s click. create watermark in adobe acrobat ea adobe acrobat professional Software Planetadobe creative suite 2 rumors adobe acrobat not finding scanner . adobe acrobat 8.01 professional software adobe acrobat 5.0. activate adobe acrobat 8 adobe acrobat contact sheet Adobe Acrobat 9 Pro Extended | Software Planetadobe acrobat 6 professional serial numbers c adobe acrobat fields sql . download adobe acrobat reader full version could not find adobe acrobat plugin
In order to preserve the quality of our search engine, pages from onemansblog.com are scheduled to be removed temporarily from our search results for at least 30 days.
Why, pray tell, would Google ban OneMansBlog from the index? Well, because some sneaky bastard somehow added a bunch of spam to the footer of my blog! HOW? My directory permissions are correct, I have all the latest versions of plugins installed and WordPress is up to date. So, let’s run down a checklist of things you should do so as not to fall victim to the spammers too:
- First of all, change your password for logging into your blog to something HARD. Something that will never appear in any dictionary attack. Mine was good, but now it’s even better. See my How I’d Hack Your Weak Passwords article to understand more.
- Add the Login Lockdown plugin to your WordPress to protect against brute force attacks. If someone incorrectly attempts to log in more than 3 times it will lock their IP address out for an hour.
- USE WP Security Scan to look for vulnerabilities in your WordPress installation!
- Routinely search through your theme’s Header.php and Footer.php files and make sure nothing spammy is showing up in there. If so, delete it immediately and search for, or recruit help in searching for, the breach!
- Change the FTP login on your Webserver just to be sure that no one has managed to guess what it is.
Finally, I encourage you to restrict access to your /wp-admin/ directory. Put a text document called .htaccess in the wp-admin directory to resrict access to your WordPress admin panel by IP so that only someone coming from your IP address can access it. The following should be in the file with no line breaks before or after it:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from X.X.X.X #Put your IP address
allow from X.X.X.X #Put another IP address
</LIMIT>
If you don’t know your current IP address you can stroll over to WhatsMyIp.org and they’ll tell you. Then you can add as many lines as you need for the various spots you might access WordPress from. Like your home, work, etc.
If all of that doesn’t help you, then may God have mercy on your soul. Because I don’t know what else to do. You should check with your Web hosting provider and ask them to look into the problem. And if they don’t do it, then go to Layered Tech, get hosted on The Grid, and ask for DEFCON management! That is all.
And remember! If this can happen to me, it WILL happen to you if you don’t take precautions. You’ve been warned.
I just came across this now, I installed a plugin called BulletProof security for wordpress. It seems to have halted some attacks as have been a victim from these freaks lately…
Really sucks
i secured my site via captchas. i had problems with the spam bots but i won that race :-)
switching to wordpress , i thought i was secure , now i haveto secure all my wordpress sites =/
I’m seconding that first advice piece about your password. Seriously, your phone number as a password? Your last name? Pathetic. I got hammered by a ton of emails from eBay the other day because someone hacked my pathetic password that I’d never bothered to change (for the record, it was ‘gooood.’ Yeah, I know. It’s lame.)
Now, though? My password’s 32 characters long, with four letters and one symbol. Take that, hackers!
Thanks Herbert, I installed that plugin. I’ll add it to this page later after I’ve tested it out a little bit!
John P.
Hi John, I suggest you install this WordPress file monitor plugin http://wordpress.org/extend/plugins/wordpress-file-monitor/ and check and/or change your WordPress Table prefix to something else then the default wp_ if you havent done that already.
John, do you know how to run queries against the database? If so, I would try these two:
SELECT * FROM wp_usermeta where meta_value like ‘%administrator%’;
SELECT * FROM wp_usermeta where meta_value like ‘%script%’;
If you changed the default table prefix when you installed WordPress (usually done if you want to install more than one WordPress into the same database), then you will need to change wp_usermeta to whatever that is. The first query will show you how many accounts there are with administrator privileges… you can see what the usernames are for each account by matching up the user_id fields with the ID field in the wp-users table. The second query will show you if any of the display names for your users contain suspicious code, from having a tag embedded in them.
Also, look inside WP’s index.php. See if any extra code has been added to it (download a fresh copy and compare the two).
If you don’t find anything with either of those, then the next place I would look would be for files that were dropped on the server as backdoors. Unfortunately, those can be very hard to track down.
Thanks Michael! I just did the auto-upgrade function and yes, I’ve been dealing with this for weeks. I keep finding the code and deleting it, and I can’t figure out how they are getting into the site considering everything else I’ve done.
I did go into the Google Webmaster Tools and already request that they not de-index me, though if it reoccurs and I don’t catch it quickly enough when they check again they’ll likely do it. So I’m pretty nervous about it.
This kind of thing really sucks for someone in my position. I’m just good enough to hack some PHP and operate the blog on a day to day basis, but not good enough to deal with emergency situations like database backups and restores, etc.
GRRR!!!
John
John, when you upgraded, did you do complete wipe and resintalls? Or did you just upgrade the files? It’s possible that the hackers got in while you had an earlier version installed (afaik everything up to and including WP 2.8.4 was vulnerable), and it just went undetected (might not even have been exploited) until recently. If this is the case then just upgrading won’t help. I wrote up a piece a while ago on how to completely clean your WP install:
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
but even if you do that, with some exploits you need to be careful because they might have left a back door in the database itself.
Sorry you got hacked, I know it sucks. Been through it a few times. One thing I would suggest for after it’s cleaned… you can probably cut the ban time from Google (or possibly head it off altogether, since you are still fully indexed as of right now) by doing a reinclusion request through the Google Webmaster Tools utility. You would have to sign up and register your site if you haven’t already, but it’s relatively painless to do.
Good luck. :)
Great article, I am off to install the plugins and check my files! Thanks.
I don’t know how they did it. The DEFCON keeps the server itself hardened, but if you have a weakness in the WordPress stuff they can’t protect against that. This is why doing all of these things is very important.
I suspected it was a problem with the permissions I had on a couple of directories at first. I used WP Security Scan to correct those. Then it happened again! So I just changed my passwords for WordPress and even for my FTP.
I’ll be keeping a very close eye on it for a while, and probably also get Jad (our Woopra server magician) to take a look at it too. If I determine what is going on I’ll update everyone so that you can take preventative measures.
John P.
If the Pentagon can’t keep hackers and troublemakers off of their servers and setups, how can we? I remember hearing breaches at various places such as the Pentagon, and so on.
Not good at all.
I know! It’s reee-diculous. :-) Oh, and it says “AT LEAST” 30 days!
John P.
I had major problems during November and lost 10 WordPress sites. Yes, I keep them updated but they managed to get into my databases and eventually infected all my accounts on one server. it was a nightmare. I had backups but it seems that the infection was there for at least a month as all of my backups were infected also. Had to nuke my account and rebuild! Thanks for the tips. i will definitely add them to my arsenal.
Thirty days??? Because of some bastard spammer?? Damn!!! That royally sucks….
Now I gotta go back and read the rest of the post – that part right there just RILED me UP!!!
John – how the heck did they get past your DEFCON 1 security? Keep me in the loop if you find out. I’d like to know what to fix.