Post updated after publish, see bottom
If you came to this article because you got an e-mail or a comment in your blog that ask to read it, please do not go away. Read the rest.
I’m an independent Information Security researcher. I’m investigating about an attack to some WordPress based blogs that involves spam and exploiting Google pagerank mechanism.
First of all, check yourself that your blog may be compromised. To do that, you need to do two different checks. First requires a little utility called “wget”, that is widely used in Linux, but it is available for Windows, too. Use this command:
wget -U googlebot -O home.html http://yourblogurl/
Note that -O and -U are both capital, and http://yourblogurl/ is the address of your blog homepage.
After command execution you will get a single file called home.html, that contains the HTML of your blog homepage. This is how your blog appears to the Google spider. Open it with a text editor, not from web browser. Examine the code, and you can see a block of code in a <div> block, that contains links that don’t belongs to your site. Usually it is shortly after the opening <body> tag, or near the end of page.
These links are about pills, ring tones, loan, and so on, like normal spam mails. You can compare with your homepage as appears on your browser source viewer, or you can get another copy with wget, without the -U option, so you get the “regular” homepage.
For the second check, open your browser and go to Google search. Type this query string:
buy valium inurl:yourblogurl
where yourblogurl is a part of the site name that is unique for your blog. I.e. if I want to check my blog I will type:
buy valium inurl:ismprofessional
Change text according to your website, and try other well-known drugs name, like the “blue pills”, named in every mail spam message.
The result of the query can be something like this:
Buy Valium from Sunrise Movies
All the information and advice you'll need to find the best
Buy Valium with the lowest Vicodin price, even if you're a first-time buyer.
www.yourblogurl/?item=137
The query part of the url string can change. This is an incomplete list:
?google-approved=number
?coupon_number=number
?item=number
?order_id=number
?certified=number
?pharma-certified=number
If you click on the link in the search results, apparently nothing special happens: you will go in your blog.
But try this: open cookie management of your browser, search for all cookies of your site and delete them. Then return to Google result page and click again on the link with your blog. This time something different happens: your browser will redirected to an online pharmacy.
How this is possible? I don’t know exactly, but I can do some hypotheses: If someone was able to crack something in your WordPress installation, the index.php file may contain malicious code that checks if you visited the blog in the past, through the cookie. If you have the cookie, the code do not activate itself, so you see your blog. If you do not visited blog before, and you come from a search engine, the malicious code redirect your browser to pharmacy site.
It is a sort of hiding mechanism to protect malicious code being discovered by regular blog visitor, or by blog owner.
If you do not understand terms I used, please ask to someone more skilled to explain in other words.
I wrote this message because I tried to warn blog owners of the problem, but my message got no replies, and I suspect that gets catch by spam filters. It is quite difficult to write about drugs spam without use same terms used by spammers.
If you get persuaded that my warning is true, please DO NOT delete your WordPress installation files on server. Save them on a zip file and, if you can, send the zipfile to me, so I can figure how malicious code was injected in your blog. After that you can delete all the file and reinstall WordPress. Check also the database, because some malicious code put extraneous data in WordPress tables.
For what I see, upgrading to WordPress 2.5 DO NOT solve the problem. Some of the hacked blogs already use version 2.5, but the problem persist.
Why I do all this work? Because I think that someone exploiting a bug or a flaw in WordPress, or in the web server configuration, to do dirty business. These people knows perfectly how Google Pagerank works, and are able to use it very well.
I earn nothing from that. I do only for ethical reason.
So, if you think that I am in error, please apologize, and you can forget any message I send to you.
In other case, you can contact me using this page.
At the moment I get more information, I will update this post, so stay tuned.
First information available
Thanks to Jay, we have first data about malicious code. There are some symptoms:
- An extraneous file uploaded to the /tmp/ directory on the server, added as a WP add-on. Warning: It didn’t show up on the list, so it was only visible by looking at the actual database using phpMyAdmin.
- New admin account in WordPress as well, called “WordPress”. Warning: invisible in the administration interface of WordPress.
- Other PHP scripts placed around in various directory of server. Jay do not send me a sample, but he looked into the code, and these scripts allow remote shell and command execution.
Note that: WordPress was updated to last release, but the redirect code were still in place and active. Only after direct database editing the redirect stops working.
A different cracking scheme
During the analysis of a different blog, I found another type of penetration scheme:
- The cracker targets old WordPress releases, known to be highly vulnerable, i.e. 2.0.3, 2.0.5 and so on.
- It inject one or two files in unused directories, like wp-content/themes/classic, or in uploads directory.
- These files are: a remote shell coded in PHP, and the “spam injector/redirector”.
- It uses something called “doorgen”, but the name can be other
So, checks your WordPress installation for modified or extraneous files.
Update
I arranged an automated test to check for this problem. The page is called WordPress Autotest. Read instructions carefully.
