Backup of David's Livejournal

My Compromised Blog

I was doing some general cleanup around the blog. (Considering widgetizing the sidebar...) I re-validated the XHTML, and some errors came up. The following code was inserted into the content of a post. (Which is contained inside a MySQL item.)

<p id="displayer" style="display:none">
CD and DVD films available for download at <a href="">download movies</a> site, cheap prices and fast downloading.</p>

The evil little snippet above says that humans won't be bothered with the link, but search engines will notice it.  Also, the following was actually inserted into my theme's index.php.

<form id="srch" name="srch" style="overflow:hidden;width:0pt;height:0pt" method="post">
DiVX and DVD films available at <a href="">download movies</a> portal, low prices and fast downloading.

Just like the prior snippet, humans won't see the link, but search engines will.

It's hard to describe how annoying this is. Somebody/bot found a way to compromise my blog's directory and its database.  I only sftp and ssh to the site. (Although in the past I have ftp'ed. No more!) I thought I chmodded the wordpress files to -rw-r-----, but I see now that there are more extensive write permissions in some directories.

I checked the last few logins, but they were all mine this month.  (And my host clears the log every month.)  I have to monitor the situation closely.

Ye gods, the referrer spam goons are aggressive!  Aargh!


 sjonsvenson on Jan 25th 2008 at 9:53 PM
Ha, but they only want to help. Adding just the missing parts. ... *sigh*

 dblume on Jan 26th 2008 at 4:10 AM
Actions taken:
  • Changed password.
  • chmodded the WordPress directories and files.
  • Disabled ftp access. (sftp still works!)
  • Inspected system with both Ad-Aware and Spybot S&D.
Will have to watch it for a while...

 ext_82408 on Jan 28th 2008 at 4:46 PM
Change the database password as well. This will require changing the wp-config.php file, but if they got in, then you can't be too careful.

 ext_82484 on Jan 29th 2008 at 6:53 AM
Good point. Done. (And yea! for OpenID.)

 halophoenix on Feb 22nd 2008 at 6:24 PM
Argh - looks like I just got hit with the same thing at :( Which file did you wind up finding the offending text in? I've been diving through various index.php files and I haven't been able to find their muck anywhere!

 dblume on Feb 23rd 2008 at 3:08 AM
Looks like you found it. (Did you?) For me, one violation was somehow appended to one of my entries! (Meaning it resided in a MySQL record.) The other was appended to my theme's index.php file.

 halophoenix on Feb 23rd 2008 at 3:31 AM
No, actually - it's still there in the page source, down under the archive months and above the search form. :( I think it might be in a MySQL record then, I did go through all of the php files for my theme and didn't find a thing. The SQL tables are the only other place to go looking, and DH hosts the database, so it's an adventure to go mucking around in there. edit: Ah HAH! Looks like I got it. With a little help, of course. So the offending PHP call was sitting in my headers.php file right under my nose (I saw it, but thought it looked natural) and killed it. Had to also dive into the database and clean up the PHP call from the database as well (along with a couple hundred bogus rss_% option names in the wp_options table). Checked my other blogs and they looked clean. Wierd! I don't even know when it got there...anyway, this was a huge help: I think I'll keep that bookmarked. XD Now maybe I can beg the Google gods to start indexing TTVF again...