For the second time, a hacker (in the swine sense of the word) broke in and defaced Oddhead Blog. Once again, I’m left impressed by the ingenuity of web malefactors and entirely mystified as to their motivation.
Last week several readers notified me that my rss feed on Google Reader was filled with spam (“Order Emsam No RxOrder Emsam Overnight DeliveryOrder… BuyBuy…”).
The strange part was, the feed looked fine when accessed directly on my website or via Bloglines. Only when Google requested the feed did it become corrupted, thus mucking up my content inside Google Reader but not on my website.
(Hat tip to Anthony who diagnosed the ailment: calling curl http://blog.oddhead.com/feed/ yielded clean output, while the same request masquerading as coming from Google, curl -A ‘Feedfetcher-Google; (+http://www.google.com/feedfetcher.html; 10 subscribers; feed-id=12312313123123)’ http://blog.oddhead.com/feed/, yielded the spammed-up version.)
In the meantime, Google Search had apparently deduced that my site was compromised and categorized my blog as spam. Look at the difference between these two searches. Nearly every page containing the query terms, no matter how tangential, takes precedence over blog.oddhead.com in the results. [2009/06/23 Update: This is no longer the case: Apparently Google Search has reconsidered my blog.]
So began a lengthy investigation to find and eradicate the invader. The offending text did not appear anywhere in my WordPress code or database. Argg. I found that my plugins directory was world-writeable: uh oh. Then I found a file named remv.php in my themes directory containing a decidedly un-automattic jumble of code. Apparently this is an especially nasty bugger:
Iâ€™ve never seen a hack crop up with the tenacity of â€œremv.phpâ€ tho. Seriously, itâ€™s kind of scary.
I’m still not sure how or even if an attacker used remv.php to corrupt my feed in such a subtle way. I decided on surgery by chainsaw rather than scalpel. I exported all my content into a WordPress XML file, deleted my entire installation of WordPress, reinstalled WordPress, then imported my content back in. I restored my theme and re-entered some meta data, but I still have many ongoing repairs to do like importing my blogroll and other links.
The attack was clever: a virus that sickens but does not kill the patient. The disease left my web site functioning perfectly well, making it less likely for me to notice and harder to track down. The bizarre symptom — corrupting the rss feed but only inside Google Reader — led Chris to wonder if the attacker knew I was a Yahoo! loyalist. That seems unlikely. I don’t think I have enemies who care that much. Also, the spammy feed appeared in Technorati as well. Almost surely I was the victim of an indiscriminate robot attack. Still, after searching around, I couldn’t find another example of exactly this form of RSS feed “selective corruption”: has anyone seen or heard of this attack or can find it? And can anyone explain why?
What did I learn? I learned to listen to Chris and not make him mad. 🙂
I also found a bunch of useful WordPress security tips, resources, and plugins that might be useful to others including my future self:
- WordPress, remv.php and you
- 3 must apply security tips for WordPress
- Hardening WordPress
- 5 plugins to keep WordPress secure
- Anatomy of a WordPress hack (“The kicker? All these sites were on Dreamhost.”)
- Did your WordPress site get hacked?
- DreamHost: Troubleshooting hacked sites
- Dealing with a hacker on DreamHost
- Docs on WordPress feeds
- AskApache plugin to display all the internal WordPress URL rewrite rules (example use) (I couldn’t discern how to interpret the output)
- WordPress exploit scanner plugin (I didn’t use after this question spooked me)
- Secure WordPress plugin
- AskApache password protect plugin
14 thoughts on “Recovering from swine’s infection (my blog, that is)”
I think the pages on oddhead load faster since your chainsaw surgery. Thanks for the security resources!
Daniel: interesting, that’s unexpected good news. Sure, hope they help others.
Update: It seems Google Search has already reconsidered my blog: it now comes at the top of both of the example queries I gave. It also comes up first for queries “oddhead blog” and even “oddhead”. So oddhead and Google seem to be friends again.
Motives? I don’t think hackers really care too much who your are or care about your yahoo versus google preferences. Most of these hackers seem to just want to push their Viagra sales or whatever onto an un-receptive audience. There is no real cost to them if they annoy you and make it difficult for you to remove their files. I saw an add for some sort of oriental shoe representative on a Search and Rescue blog!
So it sounds like someone else who has an account on your server hacked it. Would there be any other way of someone else uploading files onto your server?
FoolsGold: But how did mucking up my Google Reader feed help sell more viagra? It was just an unintelligible string of spammy keywords and there weren’t even any links. The only plausible theory I’ve heard (from Jake) is that they may have been trying to confuse Google’s spam filters.
Robert: Actually I was running an older version of WordPress for some time, so the hacker might have “come in” via an insecure instance of WordPress, not necessarily by breaking in to my hosting service.
Hello… I’ve just had something similar happen, and I’ve looked for odd bits of php… But I can’t find anything.
It seems to only be Google Reader and Google search results… the site itself is fine…
Don’t know what to do! Help, if you have chance, would be very much appreciated.
Some sample search results:
Gareth: Sorry to hear. I don’t have precise advice as I never completely diagnosed the problem, but rather I just did a complete backup and restore. It turned out to be less painful than I thought, so you might consider that option if you can’t isolate the problem more directly. Good luck.
The same happened to one of my friend’s also. His blog was added to spam list of Google search. His account was even banned. The reason behind it was he included adsense and he himself clicked on the advertisements on his blog. Alas! he started off with different account and he learned that he shouldn’t do it 🙂 Angeline @ change management
Felicito, su pensamiento es magnÐ“Âfico
Wow, sorry to say but corrupting your rss feed only inside Google Reader is actually smart. Like you said, “a virus that sickens but does not kill the patient.” These damn spammers are trying to think of anything they can to sustain their practices.
In my experience, more then likely the file was able to be uploaded through a bad plugin or WordPress hope. My suggestion would be to make sure your WordPress and plugins are always up-to-date.
I was able to find more info on remv.php at: http://www.earnersblog.com/wordpress-remv-hack/
I find squidoo, facebook, tumblr blogs very safe.
I always follow these blogs for game related topics and they are really very informative.
I am a retired military man and also have 2-3 social sites running on server and to keep safe from hackers I use dedicated server and have done all things to keep my sites safe and secured.I read this posts and learnt a lot.Thanks!!
Comments are closed.