: Where are these spammy posts generated from? While doing a a random Google search, I realized that my WordPress blog is populated with several spammy posts. Ex: (intentionally delinked) http://example.com/2016/02/06/free-dow
While doing a a random Google search, I realized that my WordPress blog is populated with several spammy posts.
Ex: (intentionally delinked)
example.com/2016/02/06/free-download-wallpaper-ringtones-mobile/ http://example.com/2016/02/06/under-the-dome-seizoen2/
And many more such on the sidebar.
At first I thought my WordPress install was compromised, analyzing further I was at a loss..
The posts are nowhere to be seen in my db(expected), neither on the filesystem as flat files or uploaded files(expected)
I can't find any eval() or base64_decode done wrong, at least not at first glimpse
Even after changing the WordPress theme, these posts are served with the same theme as they were prior to the change.
I have:
Scanned using Exploit scanner
Checked for evals/base64_decode/php shortcodes etc as mentioned in WP Codex
Added a comment on the footer and this doesn't reflect on the spammy posts, while it does on the 'actual' posts
nginx access logs indicate the posts are being served from my server
So where are these posts being served from?
More posts by @Angela700
1 Comments
Sorted by latest first Latest Oldest Best
Turns out, the WordPress install was indeed compromised. I did a diff of my existing install vs a new WordPress install, and diff reported new file:
# diff -qr wordpress_installed/ wordpress_new/
Only in wordpress_installed/wp-includes: class-wp-init.php
I also found wp-config.php had been edited to include this
@include_once (ABSPATH . 'wp-includes/class-wp-init.php' );
Fishy file indeed, this was what the file contained:
pastebin.com/Mr7N09Pq (linked to external because it kills Stack Exchange's syntax highlighter)
Removing the file & edited wp-config.php to remove out the include removed the spammy posts, for now.
I've also changed the db/user passwords and regenerated salts using this link.
next step would be to wipe out the Wordpress install, reinstall and restore from backup
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.