The authority on search engines!

I was checking up on a blog I help run this weekend, and noticed something particularly awkward about the size and modification date of the page.  For starters the last modified date revealed it had been updated quite recently (2 days prior in fact).  Looking at the source, I quickly realized that someone had managed to gain access to a theme file and had edited it to add in a whole bunch of links.

The tactic is not really new, but still quite interesting - and I hadn’t seen this myself, so I thought why not delve into it and take a look at their work. The process involves either gaining ftp or wordpress admin access to an account. If they gain access via FTP - they can edit just about any file pretty easily and can make a serious mess since they can edit Wordpress functions and insert all sorts of malicious code to show up backlinks, or even worse actual javascript code. With wordpress admin access - they can cause less damage to your overall script, but can wreak havoc with your blog - creating new posts - adding links to your blogroll,  or even editing the theme files if they have ability (requires you to have chmodded the template directory to make it writable).

Figure 1: Micro-snippet of spammy links left behind

But the name of this blackhat game is to increase backlinks without raising suspicion. Since if you raise suspicion by redirecting the site to a splog (spam blog or site)  a user is more likely to find out and revert any changes made. So these type of blackhat spammers try to be as covert as possible, and they do this with quite a simple way - by hiding the links.  Once they have access, they attempt to edit the theme file to insert their links between two divs that are style with css to be hidden by default. Inside the divs are a whole whack of links leading to splogs and spam sites.  By hiding the evidence, they increase the effectiveness of this and prolong the lifetime of the backlinks since you’re less likely to notice the defacement (after all how many times do you really look at the source code of your website, let alone the source of your chosen wordpress theme?).  The example in figure 1, shows how the spammer inserted numerous links to ”yorkimmigrationlaw.com“.

Figure 2: Doorway Landing Page

Visiting some of the urls in the links takes you to a doorway page filled with some keyword stuffed (possibly scraped) content, and some backlinks to other pages on the domain. The main page is for an immigration lawyers office (Michael A. York) and besides a phone number, there appears to be no other way to contact them. The site itself looks pretty spammy, so it’s difficult to tell whether Michael A. York has hired spammers to build him backlinks to his site, or whether his site has been hacked and exploited to serve doorway pages. I’m leaning towards the former, there are no actual links on the doorway pages, and it looks like they’re all being used to funnel traffic to the main page.

Following the Path of a Spammer

Figure 3: Second Domain with Landing Pages

But then the story takes a weird turn, the lawyer apparently has a blog and taking a look at the source reveals even more spammy backlinks to another site ‘newflightcrew.com‘  with a similar landing pages. Once again there are no other links except to other landing pages hosted on this domain. There are no links to the main domain, and no links to any products or things being sold. It’s quite bizarre for a blackhat spammer to do all this but then to not go the extra mile and add in links to some affiliate commission program.

The first domain for the lawyer didn’t have any whois information, while the second went to an Andrew Love living in  Dubai. Is Andrew Love the victim of a blackhat spammer, or the blackhat spammer himself? The trail runs a little cold there, until one looks to see the extent of the damage.

The Extent of Damage

Doing a quick google search for the first spammed url (’yorkimmigrationlaw.com‘) reveals that numerous blogs have been exploited with links to this site, almost all are completely unaware of the added code and are still operating with it - including a blog by a popular American politics commentator, a floraist retailer site, and even a blog created to commemorate a dying cancer patient. More than 100 sites appear to be affected by this particular spammer, and they all seem to be affected through older versions of wordpress indicating that this is either someone using an exploit in older scripts and software, or even more deviously, someone using an exploit to gain file manager/ftp access (as the blog that I managed did not have template editing ability).

How to Protect Youself from such Attacks

Firstly check your blog source right now, goto your site and view the generated html source to ensure that there are no surprise links found in there. If you find them, try routing around your current template to check if they are inserted in there.

If you see unidentifiable links in your source, that aren’t from your template and that you didn’t put there - check if they’ve been inserted into the template, look at the last modified date of your script to see when the change could have been made (assuming you or another script you use didn’t modify that file recently). If the changes aren’t in that particular theme file, you may be the victim of a more invasive exploit that seeks to change around other wordpress files like functions.php. In the event that other files outside your templates directory have been edited, you’ll need to make a backup of your wordpress database and reinstall wordpress from scratch and restore the database. Otherwise you’ll find yourself having to go through all the code to ensure everything is as it should be.

If you are not a victim of such attacks, take a moment to pat yourself on the back - but don’t get too coasy. Take the time now to update your wordpress installation to the latest version to ensure you’re up to date on security patches that have been issued. Also chmod your files to 666 wherever possible (themes directories and files) so that outsiders can’t edit them if they get access to your wordpress admin section.

If you only have one author on a blog, seal down the admin section with an htacess file or php security scripts that add extra password protection. Wordpress even has numerous firewall plugins, that are essential to protecting yourself against other forms of attack. Most of all - check your logs, and any other scripts and stay vigilante.