www.webdeveloper.com
Results 1 to 12 of 12

Thread: PHP Injection Problem (WordPress) - Spam links

  1. #1
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    1,114

    PHP Injection Problem (WordPress) - Spam links

    I've started to build a brand new site and downloaded a couple of free wordpress themes to modify...

    It seems that one of these themes not only ran a malevolent script that injected spam links into my site, but when I delete the theme, these trojan links somehow infest all of the themes I switch to, even after the offending theme has been deleted.

    The links are these:
    HTML Code:
    <!-- end #sidebar -->
    <div style="visibility:hidden; display:none"><a href="http://throwbackfootballjerseys.net">Cheap Retro Replica NFL NBA MLB Throwback Football Basketball Jerseys</a> | 
    <a href="http://hp-ink-cartridges.org/">hp printer ink cartridges refills</a>| 
    <a href="http://blog.arnieabramspianist.com/">Professional Wedding Pianist</a> | <a href="http://makingjewelrysupplies.com/">Jewelry Making Supplies</a>
    </div><div style="clear: both;">&nbsp;</div>
    </div>
    </div>
    <!-- end #page -->
    I believe that the theme was named "Swanky" and a few others that I downloaded from http://www.freewordpressthemesbase.com.

    I noticed this code in the footer, which I deleted:
    HTML Code:
    	<p><!--dnc997wordpress-->
    <?php
    if ( !is_user_logged_in() ) { ?>
    <? echo base64_decode("PGEgaHJlZj0iaHR0cDovL3d3dy5oaXJld29yZHByZXNzZXhwZXJ0cy5jb20vIj5Xb3JkcHJlc3Mg
    UGx1Z2luIERldmVsb3BtZW50PC9hPg==");?>
    <? }?>
    <!--dnc997wordpress-->
    This decodes to the following:
    HTML Code:
    <a href="http://www.hirewordpressexperts.com/">Wordpress Plugin Development</a>
    Sadly, the story does not end there. This sleazebag operation seemed to have no qualms putting their own spamlink in there and making it invisible to the user who was logged in, but even when this is removed, there are other payloads which will fill your blog or site with all sorts of spam links for wedding piano players and more things totally unrelated to my site(s). These remain even after you delete their spam-filled theme and put back the old one.

    I would be very wary of anything you download from Wordpress themes base - I'll hide their link here:
    HTML Code:
    http://wordpressthemesbase.com/

    When you do a test site with a free theme, you expect that there will be at least one link to the site creator in there, which is ok, and I leave it for the person who did the work taking it out only if I decide to replace the theme with one of my own.


    How I removed this crap:

    I merely replaced all the files in the wp-includes directory and that did the trick. Turning on the theme again after this base_64 script was removed somehow inserted these hostile links again.

    I checked my SQL database, and there were no entries there. Wordpress has too many little PHP files that could harbor this trojan, so I just replaced all of them.

    I wasted a lot of time fixing what this sleazy operation did to my new site and if I had the time and a team of nasty lawyers, I would go after them to teach these spammers a good lesson. Needless to say, I was furious about being shamelessly hacked by a sleazebag company. Don't believe me, check out their themes!

    If anyone has an easier fix for this, please post it.
    Last edited by donatello; 10-17-2009 at 07:46 AM.

  2. #2
    Join Date
    Oct 2009
    Location
    New Jersey, USA
    Posts
    4
    Hello,

    Thank you for the heads up, it is really appreciated. I have passed your comments over to my webmaster for immediate attention. My blog is relatively new, and I am new to blogging, and I receive a lot of SPAM, which is one of my gripes with the blog. Very little qualified traffic. I do not know if there is a better way to reduce this spamming, but any suggestions/recommendations would be greatly appreciated.

    Thanks
    ArnieAbrams

  3. #3
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    1,114
    Hi Arnie,

    I figured you got the note.

    I was also certain that you were probably unaware of someone doing this - thinking they were helping you... I assume you focus on piano playing and not developing PHP trojans.

    Good luck with this.
    Hopefully, Google will not punish you for spam - the surest way is to react quickly, maybe even send a note to Google so that you do not get slammed in the search engine rankings and find your site banned.

  4. #4
    Join Date
    Jan 2009
    Location
    Insanity
    Posts
    1,131
    If you have removed this element, it sounds like the system has got a back door.

    This back door could be within your database and explains why your re-infected again.

  5. #5
    Join Date
    Oct 2009
    Location
    New Jersey, USA
    Posts
    4
    Thanks Again Donatello,

    I am on it and would rather remove the blog entirely than cause issues with anyone's site or pose any potential issues to my website. I'll keep you posted. Much appreciated.

    ArnieAbrams

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    22,287
    On a related note, make sure that you keep your WordPress installation updated. A fairly important security hole was detected not too long ago and was patched in one of the recent 2.8.x upgrades (2.8.4 is the current stable release).
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  7. #7
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    1,114
    Quote Originally Posted by ArnieAbrams View Post
    Thanks Again Donatello,

    I am on it and would rather remove the blog entirely than cause issues with anyone's site or pose any potential issues to my website. I'll keep you posted. Much appreciated.

    ArnieAbrams
    After this started, I did not see anything wrong with your website, the problem is people on OTHER websites getting links injected into their sites. Taking down your website will not stop this at all.

    I looked at your HTML code and the only things I noticed that looked sneaky were these two tags:
    HTML Code:
    <meta name="verify-v1" content="nvd2QqaYt2o5kVdbtBhs489VByeZBkK0vfjOOSMlUUA=" >
     
    <META name="y_key" content="db341cb50e969f38">
     
    I don't know what they decode to... I thought they were base_64, but they did not decode to anything using my decoder.

    Otherwise, your page looks fine. There are a lot of links to your own internal pages at the bottom of the page... not sure if that can hurt you if there are too many... but it's probably fine.

    It looks like you or your webmaster bought a package of backlinks from a disreputable company unawares... that company used very "black hat" techniques to get your links all over the place but in a very sneaky and underhanded way that will infuriate people (like me).

    Of course I realize that you are most certainly innocent (Don't shoot me, I'm just the piano player! ). You do not make your living coding PHP trojans.

    I would leave your site up - just find out who is posting these malicious links and get them to stop.

  8. #8
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    1,114
    Quote Originally Posted by ArnieAbrams View Post
    Hello,

    Thank you for the heads up, it is really appreciated. I have passed your comments over to my webmaster for immediate attention. My blog is relatively new, and I am new to blogging, and I receive a lot of SPAM, which is one of my gripes with the blog. Very little qualified traffic. I do not know if there is a better way to reduce this spamming, but any suggestions/recommendations would be greatly appreciated.

    Thanks
    ArnieAbrams
    I'm not sure what your blog was built in (technology). If it is WordPress or similar, there are plugins that can cut your spam almost entirely. Look into "Akismet"

    Hope that helps.

  9. #9
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    1,114

    I've identified the WP file these rogue themes modify

    I had a second blog with one of these rogue themes from http:// wordpressthemesbase.com/ (They are still the first on the SERP for the keywords "Free Wordpress Themes), and they still infect your blog with spam trojans...

    Anyway, once you switch from one of their nasty themes back to your original or a normal and previously clean WordPress theme, their spam links persisit.

    When you install any of the themes from their site, it seems to make a change to the file:
    wp-includes/general-template.php

    Upload a fresh version of that and delete all the templates you uploaded from wordpressthemesbase.com and you are fixed. They do not do SQL injection, I've checked my DBs and they are clean. You do not need to do a fresh install of WordPress... just deleting the themes you got from those sleazebags and replacing /wp-includes/general-template.php works.

    B@st@rds!
    I don't mind if a designer leaves a link in the footer - if I use his theme, I don't remove the link... but this trojan crap is way over the top in my book.

  10. #10
    Join Date
    Oct 2009
    Location
    New Jersey, USA
    Posts
    4
    Thanks for the clarification and comments. I have passed these along to my primary Webmaster as well as my Wordpress guy. The Wordpress guy has completed the correction, while I will have a 'back-up check' done as well, just to ensure that the problem has indeed been taken care of.

    I've also inquired about 'Askimet', as spam has become a pain to continuously deal with. I would not care so much if the spam had more to do with music and wedding stuff, but the topics of Viagra and nude photos have nothing to do with wedding ceremony music! (Well, maybe the honeymoon, but that's a different blogging topic...).

  11. #11
    Join Date
    Jun 2008
    Location
    Europe
    Posts
    1,114
    Quote Originally Posted by ArnieAbrams View Post
    Hello,

    Thank you for the heads up, it is really appreciated. I have passed your comments over to my webmaster for immediate attention. My blog is relatively new, and I am new to blogging, and I receive a lot of SPAM, which is one of my gripes with the blog. Very little qualified traffic. I do not know if there is a better way to reduce this spamming, but any suggestions/recommendations would be greatly appreciated.

    Thanks
    ArnieAbrams
    Arnie:
    If you want to increase your traffic, post a few short videos over on Youtube and hyperlink back to your site. That always helps. Quite a bit in fact - over time.
    Post a video or two at MetaCafe and other places where you can hyperlink... maybe even a couple of piano lessons... anything really.

    You can also sign up at linkedin and then link to your site.
    Create a facebook account and link to your site.
    Myspace account and link to your site...

    Write a small blurb or even embed one of your videos over at hubpages: http://www.hubpages.com
    Write a small blurb or even embed... " ... Squidoo: http://www.squidoo.com

    ... you get it...

    This will all help - over time - and it will help quite a bit. The right way to build links.

    Hopefully, Google will not 'slap' you (your site) for what these spammers did...
    Last edited by donatello; 10-19-2009 at 06:24 AM.

  12. #12
    Join Date
    Oct 2009
    Location
    New Jersey, USA
    Posts
    4
    Hey Donatello,

    I've been assured that the changes have been made to my blog to remedy the situation. Still awaiting the my 'back-up' audit.

    I have plenty of audio files, but am working on a short video for Youtube as well, since videos really have a more pronounced impact. If you are interested in some music (check out my music download page - I don't want to post a link as this may go against this forum policy) and an email address. I'll send you the songs of your choice for taking the time to alert me of my blog spam issue.

    Thanks,
    ArnieAbrams

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center

"

"

X vBulletin 4.2.2 Debug Information

  • Page Generation 0.36521 seconds
  • Memory Usage 2,989KB
  • Queries Executed 13 (?)
More Information
Template Usage (34):
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (5)bbcode_html
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (12)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (12)postbit
  • (12)postbit_onlinestatus
  • (12)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (70):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates