Comments on: Spammers Hack Blogs

By: Teddy

Teddy — Mon, 28 Jan 2008 20:34:55 +0000

If more people would aim at hacking the spammers and spamming the spammers the world would be a better place. If ever effort to spam someone’s system or hack an account resulted in a total loss of data for the culprit they would stop doing it.

Fight fire with fire… stop the bums in their tracks by using their own tricks.

[email protected]

By: Kevin Burton

Kevin Burton — Fri, 27 Oct 2006 19:09:03 +0000

I’m seeing people do this to wiki’s too……. Some of the wiki’s support a raw HTML extension (trac for example) and the page will look normal until you edit the source to see a bunch of raw links at the bottom of the page.

I wonder if there needs to be a rel=”spam” microformat for telling Google you think someone has been spamming you. Either that or a ping service where you can send them link spam.

By: Dave Perry

Dave Perry — Wed, 25 Oct 2006 19:12:32 +0000

I alsp get a lot of spam comments in my blog. But I use Statcounter to check my site and I sometime find that the spam links actually help some people to find my site. Evenif it is by mistake. Perhaps they are searching for the name of the company and they add another keyword that is in my blog. And guess what now my blog comes up first in their search…

By: Brian Pinard

Brian Pinard — Mon, 23 Oct 2006 06:08:08 +0000

I’m glad to see things are cleared up now.

Let this be a warning to everyone! Make absolutely certain your blog is as secure as you can reasonably make it.

Spammers are the scum of the earth. Well, one of them

By: colbert

colbert — Sat, 21 Oct 2006 11:12:16 +0000

pretty scary. what was Nivi’s blog running on ?

By: alex

alex — Fri, 20 Oct 2006 20:33:56 +0000

I wonder what security measures the average Blog has taken, I think one easy step to increase security is to alter any login links to pass over the host’s Shared SSL Certificate.That way login names and passwords won’t be sent un encrypted, anybody spying on the sites traffic will harvest nothing.

It’s nothing new but I hope these simple precautions will help somebody and flush out a lot of the spammer.

By: Charles on… anything that comes along » Why I risked breaking the blog: because Wordpress blogs are getting hacked

Fri, 20 Oct 2006 11:57:26 +0000

[…] Basically, he’d noticed people’s blogs had been invisibly hacked, so that the text wouldn’t show up when you looked at the site, but through the magic of CSS, would to Google. And of course to your newsreader: the hacked invisibly spam-laden text would, to your web server, be “updated”, and so would refresh in your newsreader. When that happens, it’s a good sign that the blog you’re looking at has been hacked. […]

By: milo

milo — Fri, 20 Oct 2006 07:24:46 +0000

Err, how come no link works to Nivi?

By: Jeff

Jeff — Thu, 19 Oct 2006 18:16:08 +0000

This is really bad in the sense that a lot of RSS readers run HTML as trusted, local content. So this would be a way to deliver some nasty payloads from a trusted source.

By: Leanne

Leanne — Thu, 19 Oct 2006 16:28:54 +0000

I had this happen over the past year some time – they hacked in and the code caused my template to be off center just by a pixel or two – I couldn’t find the source for the longest time.

I ended up modifying my template, but it was still out of whack in IE until I recently went into my header.php and found the spam links in there.

I was running 2.0 at the time, I believe, so it’s not just the 1.5 users seeing this happen.

By: h0bbel

h0bbel — Thu, 19 Oct 2006 13:20:38 +0000

If this was on a shared hosting plan, chances are that this wasn’t even Navi nor WordPress’ fault. It could just as easily been some other random piece of software on the same plan that was compromised and as long as the files were writable it could have inserted the spam links in all files if it wanted to.

The joys of shared hosting packages and ISPs not running services jailed…

By: Alistair

Alistair — Thu, 19 Oct 2006 13:18:33 +0000

Assuming it was a brute force style attack and it wasn’t a phpBB breach, the other simple thing to do would be to enforce a minimum level of password strength. Enforcing minimum of 8 characters, with at least one uppercase and at least one numeric would make brute force considerably harder.

By: Meri

Meri — Thu, 19 Oct 2006 09:44:08 +0000

I’m running v2 and having the same problem. Seems I’m not the only one either:
http://www.yardley.ca/blog/index.php/archives/2006/10/08/spam-injection-from-50webs/

I noticed it when it’d happened to Eric and did look around at the time in case there was a WP security hole that needed a patch, but didn’t find anything. It’s only happened to one entry of mine as well, which seems strange — restraint isn’t normally a spammer characteristic…

By: Mark Jaquith

Mark Jaquith — Thu, 19 Oct 2006 08:30:34 +0000

The spam has been purged, and we've changed all passwords and closed off several potential modes of entry (old unused WP installs, etc). The unauthorized access was first gained before the 2.0.4 upgrade, and I'm fairly certain that any subsequent access was a result of the earlier access (i.e. the password was already bruteforced). So, no need for panic (unless you're running an old version of WordPress or you have a weak password... in that case, fix it!) Only 54 posts had been modified, as far as I could tell, so thankfully cleanup didn't take that long. Two preg_replace() calls on the affected posts did the trick.

By: Nick

Nick — Thu, 19 Oct 2006 07:20:46 +0000

I had once a similar problem and discovered it, because I am using subversion (SVN) to manage the source code modifications of my blog.
Subversion is a version management system and allows to monitor code (and any other files) for changes / sync between local and remote web servers and very easily undo any changes done to the blog source code.
And of course it is free and open source!

By: Eston

Eston — Thu, 19 Oct 2006 05:19:11 +0000

The easiest way to stop this type of thing from happening would be to set up a captcha that activates on wp-login.php after a couple of bad passwords. If they fail the captcha more than twice, you could 403 the domain in mod_rewrite.

By: Graeme

Graeme — Thu, 19 Oct 2006 05:02:35 +0000

I also had something similar on my blog a few weeks ago just after moving to my old site. Caused I’m afraid by having my installation on far poor permission settings and poor password choice. All my php files had been hacked and one line of code had been added. I only noticed because the load time for the admin got so long I looked at view-source and saw a line of code I didn’t recognise. Took hours to repair the damage and now I make all changes on my local machine before uploading! Probably over the top protection wise but not sure how else to go as a novice!

By: Mark Jaquith

Mark Jaquith — Thu, 19 Oct 2006 04:17:13 +0000

We found some of that spam in his templates. I thought it was just because he’d been running 1.5.2 until the 8th or 9th of October, when I upgraded his site to 2.0.4 But the rise of those old posts (with spam) to the top in FeedBurner along with the internal Pingbacks has me curious. I’ll be investigating.

By: Rust

Rust — Thu, 19 Oct 2006 03:56:30 +0000

How difficult would it be for WordPress (for example) to check all of it’s files as soon as it’s installed (including the active theme and plugins), generating sizes and MD5 sums and placing all that info in the database? Then, if any of the files are changed (for speed, this check maybe only occurs when you login to the admin section), a warning bar will appear in the admin section. That info (file sizes and MD5 sums) would be updated automatically when any files are edited through the built-in editing interface, or when a new theme is activated, or when a new plugin is activated. When the warning bar comes up, the admin would have the option allow the changes (for ex. if they changed the files and uploaded via FTP), or temporarily disable the site until the problem can be fixed.

Just a thought. I’ve used this method with some success, but since no one tried to hack the thing (or at least succeeded to the point of me noticing it), I couldn’t say if it’s particularly viable.

Might be doable as a plugin though…

By: Nivi

Nivi — Thu, 19 Oct 2006 02:50:02 +0000

Yes, I was running 1.5.2 up until a few weeks ago. I hired Mark Jaquith to upgrade me to the latest revision of WordPress and he is awesome.

My templates were even hacked! Not just the blog posts.

By the way, I don’t think it was a man-on-the-inside attack as I think my permissions on Dreamhost are in decent shape.

Now that I am on 2.0.4 I have recently gotten a few weird circular trackbacks from my some of my blog posts to themselves. I’m not sure what is causing that.

By: iface thoughts » Blog Archive » Scary Spamming

iface thoughts » Blog Archive » Scary Spamming — Thu, 19 Oct 2006 02:49:07 +0000

[…] Matt gives an instance of spammers hacking blogs to do what they do. They not only modified the posts, but hid the modifications so that they cannot be discovered. Clever, but still evil! The reason why they do such things is because they can gain linklove. I wonder if search engines can, and I really don’t know how, identify these spam links and not credit them. Maybe search engines can get wary of new sites with a lot of linklove in a really short time. I think that is the only solution that will demotivate the spammers. […]

By: Matt

Matt — Thu, 19 Oct 2006 02:26:38 +0000

BTW, I just heard from Nivi that he “was running 1.5.2 for way tot long” and he thinks that was the problem.

By: Matt

Matt — Thu, 19 Oct 2006 01:49:13 +0000

I think the core thing here is spammers are getting much sneakier, and willing to go much further. I don’t know if this means that current measures are working to an extent, or if they’re just really evil.

I’ve emailed Nivi, until we know what caused it I wouldn’t panic about changing your password or something.

By: Eric

Eric — Thu, 19 Oct 2006 01:37:39 +0000

This is exactly what happened to me five months back (I posted about it on one of the WP mailing lists), and if I remember correctly, the same spammer domain name was involved. If I remember correctly, the hidden spam was inserted after the next-to-last closing </p> of every post, and the access patterns made it look like a script was at work. Someone saw my old posts show up as new with the spam links in Bloglines, as seen here, and alerted me to the situation.

By: nikkiana

nikkiana — Thu, 19 Oct 2006 01:36:05 +0000

I actually had something similiar to this happen to my wedding blog, and I would have never noticed unless the spammers hadn’t screwed up and inadvertantly ruined my theme. I know in my case it had been because I’d forgotton to update to the newest version of WP because I wasn’t really actively using that blog.