The hell?
Posted by Lise on 14 Aug 2008 at 05:38 pm | Tagged as: meta
I wanted to explain what <meta> tags were to my boss, so I was looking at the source code for the index page. Stuck at the top of the <body> tag, before the first <div> were about a thousands lines of drug spam links.
Now, none of this showed up on website itself, thank goodness… but how the hell did they get there in the first place?
I immediately went into the Theme Editor and removed them, but again… how the hell did they get there in the first place?
Random Posts
Join In!
- Share your thoughts on this article in the comments.
- Introduce yourself: Make New Friends, But Keep the Old
- Subscribe to the Frugal in the Fruitlands RSS feed to have new articles delivered to you immediately. (What's RSS?)
- Sign up for the Frugal in the Fruitlands email newsletter and receive a free copy of "3 Tips to Shave Over $300 Off Your Monthly Bills (Without Feeling Deprived)."
- Share this article on PFBuzz, del.icio.us, Digg, or StumbleUpon.
Some possible explanations:
http://wordpress.org/support/topic/179837
http://lorelle.wordpress.com/2007/08/09/are-you-risking-your-blog-with-an-unofficial-or-vulnerable-wordpress-theme/
http://wordpress.org/support/topic/160113
Hmmm.
None of these really seem to match my problem.
The RSS feed and the integrity of the posts themselves haven’t been compromised. There just was a big ol’ block of links in the source, but it didn’t affect the operation of the site at all.
The problem hasn’t recurred since I removed those lines in the header.php file.
I don’t really even know where to start sorting through all this mess…
someone probably hacked your blog :(
putting in the links was their point, not to do anything else, so they could get links to their sites
I’d upgrade wordpress if you haven’t already to fix the security hole
Yep, someone was linkbombing to raise their google stats. As they didn’t show up on the page itself, it wasn’t to get click-through traffic.
WP 2.6.1 just came out, you should be able to do a one-click upgrade in your Dreamhost panel. After that, go into your WP-admin and make sure all your plugins are up to date as well.
But if I upgrade to 2.6.1, won’t my install still be compromised? It’ll be locking the door after the horse is already out of (or, I guess, in) the barn, no?
You’ve removed the links from the theme now. Upgrading may close the door so they don’t come in and do it again.
To have done this in the first place, they needed to be able to edit your theme files. The unlikely possibility is that they got into your dreamhost account and edited the files directly. Mark them as read-only to keep that from happening. More likely, they were able to take advantage of a hole in your older version of WP (and who knows when this first happened, or what version of WP you had at the time), and were either able to directly access the theme editor in the admin tools, or were able to create a false admin account and then edit the theme that way. I don’t suspect that as much because if the attack was sophisticated enough to create an actual admin account in WP, they’dve been able to spill links into other places as well.
Aaaaand they’re back *sigh*
Upgrading tonight.
If that doesn’t fix it, I’m screwed.