I’ve been dealing with a spam issue for the past few months that has sidetracked me, sadly, from writing. For that I apologize. Consequently, I have a stock-pile of things to write about and will likely be posting daily for the next bit.
Also, because I’ve promised to myself to start writing about practical problems and solutions (in addition to my regular rants and opinions) for the purpose of knowledge sharing / open source, I thought I might share a bit about a really silly oversight that caused a world of pain.
For some reason, dreamhost accounts by default don’t protect against directory browsing. What I mean is, the root directory allows read access to directories within. So when I installed my very first fancy smancy wordpress app, every directory on my website that did not have an index page like index.php or index.html, was completely browsable via http.
This weakness was eventually exploited as any open source installation with configuration holes eventually will be. Unfortunately, the hack was quite clever and not at all obvious to the naked eye. At first I noticed huge performance hits on requests to my website. Then one day I was troubleshooting a javascript issue and happened to take a look at my page source. This request as well took a ridiculously long time to service. When I scrolled to the bottom of the file I found several thousands of lines of hyperlinks in an html comment tag.
The hyperlinks must have been injected for some sort of page rank ploy because they were completely hidden to the user, but not to the search engines. In fact I soon realized that Google had completely blacklisted me and a search for Shaun MacRae would not return my site if I tried.
I quickly found that my template footer file contained the unwanted hyperlinks and was able to replace that file with the default footer.php provided by said template.
Then 2 days later, the same slow loading issues. This time I viewed source straight away and again found the mysterious links. I replaced the file again, this time checking the fix, clearing my browser cache, checking again, and finally, checking the next day to ensure it was still all good. And it was.
Then a week later, the same thing happened again. At this point I spent a few hours looking for this problem/solution online. While I could find mention of the hacked footer.php file, I could not find anything that mentioned repeat offenses, or any kind of ‘target hack’ or ‘internal corruption’. It is the second that I believe to be true, but I will never know for sure because eventually I gave up.
In my research I learned about the directory browsing enabling serving as a large security hole and so I tested my luck with locking that down and rebuilding my site. I suspect there was actually some code generation happening at some relatively random event occurrence. So somewhere, I bet I would have found if (isShaunsUnluckyDay) replace footer.php with footer_hack.php – or something similar.
Anyway, I took the hard road and installed the latest wordpress with directory browsing disabled and re-entered every article from scratch – well copy/paste – but still! I did this because at one point I actually found some of those links inside individual article content as well, and I wanted to make sure I was working my way up from a clean database. In hind site I probably would have taken my chances with a corrupt database, because it was an incredible amount of work starting from scratch. You don’t realize it when you build your content up piece by piece but eventually you have quite a lot of it. It’s all done now though, and short of a few broken links that still need addressing, I should be back into blogging action yet again.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
0 Responses to “WordPress Spam Injection”