Bloody hack!

So, for those (if any) who found several pages of visible Viagra links at the end of the last few posts, my apologies. A vulnerability in the version of WordPress I was running allowed a machine at keymachine.de [87.118.124.3] to directly inject spam links into posts using the attach/edit features. (This site is apparently a regular offender.) I knew there were a some exploits out for that version, but all the ones I knew of concerned already-registered users escalating their privileges (mine does not have other users or accept registrations), and I was holding off updating because one of the important plugins I use [which keeps the cexxy blog and LJ account synced] was known not to work with the newer versions.

The spam link injections had the form

<u style=display:none><a href="http://www.example.com/files/phe/Lowest-drugname-prices.html">
Lowest drugname prices</a>
[... pages more spam links ...]
</u>

The ‘display:none’ served to render them invisible*. I only noticed because I happened to try editing a recent post, and the spam links appeared in the edit box. Invisible links aren’t view/clickable by readers of course, but Google et al use them to determine search result rankings (everybody links to you, viagrawarehouse.com guy! You must be a respected authority! *bump*), so these sites have great incentive to spam their links everywhere, whether viewable to humans or not.

As for the logs, the alleged offender’s entries are here:


87.118.124.3 - - [11/Jun/2008:07:24:15 -0700] "GET /wp-admin/edit.php HTTP/1.0" 200 534 "http://tim.cexx.org/wp-admin/edit.php" "Opera"
[...]
87.118.124.3 - - [10/Jun/2008:03:02:03 -0700] "GET /wp-admin/edit.php HTTP/1.0" 200 19629 "http://tim.cexx.org/wp-admin/edit.php" "Opera"
87.118.124.3 - - [10/Jun/2008:03:02:05 -0700] "GET /wp-admin/post.php?action=edit&post=453 HTTP/1.0" 200 69211 "http://tim.cexx.org/wp-admin/edit.php" "Opera"
87.118.124.3 - - [10/Jun/2008:03:02:10 -0700] "POST /wp-admin/post.php HTTP/1.0" 302 0 "http://tim.cexx.org/upload.php?style=inline&tab=upload&post_id=-1" "Opera"
87.118.124.3 - - [10/Jun/2008:03:02:11 -0700] "GET /wp-admin/edit.php HTTP/1.0" 200 19629 "http://tim.cexx.org/wp-admin/edit.php" "Opera"
87.118.124.3 - - [10/Jun/2008:03:02:12 -0700] "GET /wp-admin/post.php?action=edit&post=453 HTTP/1.0" 200 60074 "http://tim.cexx.org/wp-admin/edit.php" "Opera"
87.118.124.3 - - [10/Jun/2008:03:02:14 -0700] "POST /wp-admin/post.php HTTP/1.0" 302 0 "http://tim.cexx.org/upload.php?style=inline&tab=upload&post_id=-1" "Opera"

[additional lines skipped]

Anyway, all spam has been removed and blog is patched up to the latest version. As a bonus, both my must-have plugins (SK2 and ljxp) now appear to work with the current versions.

* no pun int…technically, this is…whatever you would call an anti-pun, because the code serves to prevent them rendering at all.

Leave a Reply