free-dow

While doing a a random Google search, I realized that my WordPress blog is populated with several spammy posts.

Ex: (intentionally delinked)

example.com/2016/02/06/free-download-wallpaper-ringtones-mobile/ http://example.com/2016/02/06/under-the-dome-seizoen2/

And many more such on the sidebar.

At first I thought my WordPress install was compromised, analyzing further I was at a loss..

The posts are nowhere to be seen in my db(expected), neither on the filesystem as flat files or uploaded files(expected)
I can't find any eval() or base64_decode done wrong, at least not at first glimpse
Even after changing the WordPress theme, these posts are served with the same theme as they were prior to the change.

I have:

Scanned using Exploit scanner
Checked for evals/base64_decode/php shortcodes etc as mentioned in WP Codex
Added a comment on the footer and this doesn't reflect on the spammy posts, while it does on the 'actual' posts
nginx access logs indicate the posts are being served from my server

So where are these posts being served from?

10.01% popularity Vote Up Vote Down

: Restrict google from indexingcertain content on my page I have an ecommerce shop with ~10 000 items. I wrote parser to load this items to my website from another website. But items description

@Angela700

Posted in: #Google #Seo #Yandex

1 Comments

: Redirecting specific URL from HTTPS to HTTP Long time lurker, first time caller... I have a backend like admin.mysite.com which is able to use HTTPS (has a certificate installed, etc) - but

@Angela700

Posted in: #Apache #Http #Https #ModRewrite

2 Comments

: Difference between crawling and indexing If a website is cached, does it mean that it has been indexed too? In this snapshot cache date is shown as 18th may but when i did site search for

@Angela700

Posted in: #GoogleCache #Seo #WebCrawlers

1 Comments

: How does Google rank crawl errors in Search Console In Search Console (formerly Webmaster Tools) I am viewing the report at crawl > crawl errors. I see that Google has set a 'priority' for

@Angela700

Posted in: #CrawlErrors #GoogleSearchConsole

1 Comments

Login to post a comment!

1 Comments

Sorted by latest first Latest Oldest Best

@Kaufman445

Turns out, the WordPress install was indeed compromised. I did a diff of my existing install vs a new WordPress install, and diff reported new file:

# diff -qr wordpress_installed/ wordpress_new/

Only in wordpress_installed/wp-includes: class-wp-init.php

I also found wp-config.php had been edited to include this
@include_once (ABSPATH . 'wp-includes/class-wp-init.php' );

Fishy file indeed, this was what the file contained:
pastebin.com/Mr7N09Pq (linked to external because it kills Stack Exchange's syntax highlighter)

Removing the file & edited wp-config.php to remove out the include removed the spammy posts, for now.

I've also changed the db/user passwords and regenerated salts using this link.

next step would be to wipe out the Wordpress install, reinstall and restore from backup

10% popularity Vote Up Vote Down

Feed

: Where are these spammy posts generated from? While doing a a random Google search, I realized that my WordPress blog is populated with several spammy posts. Ex: (intentionally delinked) http://example.com/2016/02/06/free-dow

More posts by @Angela700

: Restrict google from indexingcertain content on my page I have an ecommerce shop with ~10 000 items. I wrote parser to load this items to my website from another website. But items description

: Redirecting specific URL from HTTPS to HTTP Long time lurker, first time caller... I have a backend like admin.mysite.com which is able to use HTTPS (has a certificate installed, etc) - but

: Difference between crawling and indexing If a website is cached, does it mean that it has been indexed too? In this snapshot cache date is shown as 18th may but when i did site search for

: How does Google rank crawl errors in Search Console In Search Console (formerly Webmaster Tools) I am viewing the report at crawl > crawl errors. I see that Google has set a 'priority' for

Login to post a comment!

1 Comments

Back to top | Use Dark Theme