Well, I finally feel clean. Okay, I’m referring to all of the various sites I’m responsible for. With one site in particular, it was brought to my attention that it was advertising things like Viagra and other online available prescriptions. When I started to pull up pages, I couldn’t find anything. Viewing the page sources revealed no abnormalities. Likewise, when I scanned the php files, I couldn’t find anything either. Needless to say, I was perplexed. Yet, there it all was. SPAM being broadcast in the search results and in the RSS news feeds.
After grepping through hundreds of files, and finally needing a break, I thought I’d look at another site that had bothered me. A couple of years back, my ex-wife’s site was infected with malware. It was so bad that the site got blacklisted. The way it ultimately showed up was that going to the site brought an immediate warning from Firefox. Well, I managed to clean the site and get it off the blacklist. However, it was still listed as being infected. As a result, my ex got discouraged and decided to stop blogging. And I felt pretty bad.
Well, this recent incident prompted me to look at her site again. I started thinking about different ways a hacker might be able to inject urls without them being visible in page sources. And then it hit me to check for iframe insertions. Sure enough, I got a hit when I scanned the root directory. The grep search found a hit in an old .sql backup file I had generated more than a year ago. So, I logged into the database server and began searching through the actual database entries. And there they were: iframe fetches buried throughout various comment threads. They didn’t show in the browser, but they were creating link chains to various SPAM sites when the Google-bots would come on by. That only took a few minutes to isolate all the links and remove them. A re-scan of the site revealed it was clean. Two years after the SPAM surfaced, it was finally gone.
Okay, fast forward to the new SPAM that had recently materialized. This also didn’t reveal anything in any of the source code or sql. In fact, I couldn’t find anything anywhere. The scan report from Sucuri called this malware SPAM:SEO. And despite some of the fixes available, I found myself in a unique spot and with no help in sight.
Again, I tried to think of different ways to embed URLs so that they could be seen. One site that had been hacked was done so with URLs listed in ascii hex format. I didn’t even realize one could do such a thing. But it made sense. But alas, that wasn’t what I was hacked with. So I kept thinking and then something new hit me… what about base64 encodes? That would keep the URLs from showing up to the visible eye or via greps. So I constructed a little test program to search the entire site. Sure enough, I found a bunch of base64 functions in a very strange place– within php files inside the images folder.
I’m not sure how these files got deposited. My guess is that during some older releases of WordPress, the uploads API might have been exploited. But at this point it’s just speculation.
I think I’m at the point where these guys are impressing me enough that I might have to begin broadening my search criteria when it comes to hiring smart software engineers. There certainly are some very creative people out there with perhaps too much time on their hands.
If you run into a similar hack on your site, let me know. And if I can help you clean it, I’d be happy to do so.