General

HaXXord

I started noticing some random links appearing all over my pages and posts but ONLY in my RSS feed.
I did a little digging and it turns out my akismet plugin directory had been compromised.

Those sneaky bastards!

I like how they just added an ‘s’ at the end of some of the common files and hoped I wouldn’t notice.
The bad part is that the code, when executed, appends the spam links to the post_content field of the posts table.

SELECT*
FROM`*******_posts`
WHERE`post_content`LIKE’%<!– rk_%’

This junk returned like 500+ rows for me.

AWESOME.

For a minute there I was sad that my photography site was in shambles (spambles?). Then I remembered that I’m a software engineer. OH YEAH.
I also remembered the wordpress community is so awesome, that if I did my research right I wouldn’t even need to use those finely honed skillz. /bloated head

One good thing is that the spam content follows a pattern so I knew my chances for success would be pretty good if I could use regular expressions.Did I mention HOW NERVOUS using regular expressions to update a database make me? (make backup, make another backup, and backup that backup).

I searched the plugin repository and came across the Search Regex plugin. It was a simple find and replace that allowed you to choose the right table and column and then search and replace. And it was conveniently integrated into wordpress so I could just do it from my phone if I didn’t have access to my development environment at home.

The format of the spam is as follows:

<!-- rk_czxV1dv1UTfErdQy65 --><div style="position:absolute;top:-234423px;left:-234423px;">
<li><a href="http://www.hillarymullin.com/An-Affair-to-Remember">An Affair to Remember movie dvd</a> </li>
<li><a href="http://www.johnmarian.com/blog/Tennessee">Tennessee movie review</a> </li>
</div><!-- /rk_czxV1dv1UTfErdQy65 -->

UUUUGLLYYY.

Well.., actually I’d never been spammed with tasteful spam before. Cary Grant movies? Nice.

Thankfully I never put comments in my posts so this simple regular expression to single out any html style comment and everything inbetween caught it entirely.

I allowed the algorithm to be greedy (hence no ? after the * ) because the spammers conveniently programmed the attack so the spam sits right at the bottom of the post content so I didn’t need to worry about eating any tags and content I wanted to keep.

Replace the matches with NOTHING, run, and BAM. You are spam free. :) Simple & effective.
Now go change your ftp passwords, your admin passwords, your database table prefixes and move your wp-config file out of your wordpress home directory and change your secret keys.

More tips for wordpress security can be found here.

I’ll be 100% honest. I have no idea where the exploit originated so I am only taking precautions against a still ambiguous enemy but I’m hoping this is the last of my spam attacks for a good long while.

 

Previous Post Next Post

You Might Also Like

1 Comment

  • Reply Pete Joyner November 1, 2011 at 8:17 pm

    No wonder you and David relate so well. I can’t even spell algorithem!

  • Leave a Reply