I started noticing some random links appearing all over my pages and posts but ONLY in my RSS feed.
I did a little digging and it turns out my akismet plugin directory had been compromised.
Those sneaky bastards!
I like how they just added an ‘s’ at the end of some of the common files and hoped I wouldn’t notice.
The bad part is that the code, when executed, appends the spam links to the post_content field of the posts table.
WHERE `post_content` LIKE ’%<!– rk_%’
This junk returned like 500+ rows for me.
For a minute there I was sad that my photography site was in shambles (spambles?). Then I remembered that I’m a software engineer. OH YEAH.
I also remembered the wordpress community is so awesome, that if I did my research right I wouldn’t even need to use those finely honed skillz. /bloated head
One good thing is that the spam content follows a pattern so I knew my chances for success would be pretty good if I could use regular expressions. Did I mention HOW NERVOUS using regular expressions to update a database make me? (make backup, make another backup, and backup that backup).
I searched the plugin repository and came across the Search Regex plugin. It was a simple find and replace that allowed you to choose the right table and column and then search and replace. And it was conveniently integrated into wordpress so I could just do it from my phone if I didn’t have access to my development environment at home.
The format of the spam is as follows:
<!-- rk_czxV1dv1UTfErdQy65 --><div style="position:absolute;top:-234423px;left:-234423px;">
<li><a href="http://www.hillarymullin.com/An-Affair-to-Remember">An Affair to Remember movie dvd</a> </li>
<li><a href="http://www.johnmarian.com/blog/Tennessee">Tennessee movie review</a> </li>
</div><!-- /rk_czxV1dv1UTfErdQy65 -->
Well.., actually I’d never been spammed with tasteful spam before. Cary Grant movies? Nice.
Thankfully I never put comments in my posts so this simple regular expression to single out any html style comment and everything inbetween caught it entirely.
I allowed the algorithm to be greedy (hence no ? after the * ) because the spammers conveniently programmed the attack so the spam sits right at the bottom of the post content so I didn’t need to worry about eating any tags and content I wanted to keep.
Replace the matches with NOTHING, run, and BAM. You are spam free. :) Simple & effective.
Now go change your ftp passwords, your admin passwords, your database table prefixes and move your wp-config file out of your wordpress home directory and change your secret keys.
More tips for wordpress security can be found here.
I’ll be 100% honest. I have no idea where the exploit originated so I am only taking precautions against a still ambiguous enemy but I’m hoping this is the last of my spam attacks for a good long while.