Site Hacked, Probably Through Spam Comments, Fixed Now.

In case you happened to find this blog looking for something to help you pee easier, let me clarify things a little bit. We don’t actually sell prescription drugs here. Sorry. I do have a cautionary tale for you.

See, for the past few months I’ve noticed a Google search of “gamebynight” turned up a description with common comment spam. Not the whole, just a couple words mentioning cheap prescriptions. It was weird but not knowing any better, I assumed Google’s search bots had picked up on a spam comment. Looking at the site itself, nothing was amiss. Google’s problem, right? Wrong.

What actually happened is my site was hacked. Don’t worry, no one signs up for jack squat here, so you’re not at risk. Still, it made for a long night.

I got what’s called the Pharma Hack. Apparently, this bit of nastiness exploits a vulnerability in WordPress to inject snippets of comment spam into Google’s search returns while changing nothing on the site itself. To find it, one has to locate and delete certain files in plugins and themes. If you’re like me and have tried a lot of both over the years, you can probably relate to the amount of build up I had. Using the guide linked above (published in 2011), I searched and found nothing they said I should find, yet this web scanner reported two infections within my about page and the entire MMORPG category.

On top of just plugins and themes, the exploit is also known to generate infected database entries. That’s the nuts and bolts behind the site, in case you’re unfamiliar. Kind of like your computer’s registry and just as dangerous to touch. Thankfully, my exploit hadn’t gotten that far.

Not finding any of the easily identifiable files, I began searching the commonly exploited files in my plugins, themes, and WordPress installation. After a half hour or so of scouring and finding nothing, I gave up and took the other option: I cleaned house and deleted everything. Every plugin and every theme (including the one you’re seeing now) was wiped out. Every image had its permissions changed. All of that build up was taken out. I scanned again and came up clean.

The question is, how did it happen and it’s the most troubling part about the whole thing. Nobody seems to know for sure. It’s an exploit, that’s the only thing we’re sure of right now, and, ironically, most often roots itself in the Akismet spam filter folder (does anyone know of a good alternative?). But how does it get access to the server and database in the first place? My computer is clean, so it’s not a keylogger or password based.

Some theories pin it on a (yet unknown) vulnerability in the comments. I think this is probably close to the truth. The spam being injected in my site description was almost verbatim the kind of crap that passes Akismet’s spam filter. This is troubling. As if it wasn’t bad enough that our sites are accosted by drug spam dozens of times each day, now we’re at risk of getting our search results poisoned. All to drop a link no one in their right mind would click.

If you own a WordPress blog, always make sure to update it. I wasn’t always the quickest updater but I wasn’t terrible either. One, two weeks tops. This was a royal pain in the ass to clear up. The fact that the removal guides were totally non-applicable to my situation tells me that the hack is still being updated. With any luck, the WordPress team has patched it out already, but let my trouble be a learning experience. Probably a good idea to give your site a scan at the link above.

1 ping

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

CommentLuv badge