So I get an email from Google complaining that several links from my son’s blog (which I will not name here) are linking to malware sites. The sample links they included were valid but completely foreign to the site, and the pages themselves were mangled versions of existing blog posts, with long lists of search engine spam and a few websites.
Needless to say, these were not of our making so I set out to investigate and clear them down as soon as possible.
The blog is concerned with my 12 year old son’s love of all things Lego which, since getting his own laptop and discovering Minecraft, has been languishing since his last post in July 2012.
The spam pages are not referenced from the valid blog pages in any way and have been in place since October. Only Google, chiding me about pages with my Adsense code being used to point to Malware alerted me to the breech. Otherwise I would never have noticed.
How it got there?
I suspect that the intrusion method was a theme I installed in October. It’s just a guess though – WordPress is so ubiquitous, I’m sure there are loads of vulnerabilities, especially if the constant stream of updates is anything to go by. Suffice it to say that they got in, and with enough authentication to allow them to upload files.
What I found
I found a couple of anonymous type directories under the ‘/wordpress’ directory: “imgxkm” and “imguut”. The content was a load of files of the form 74XXXXX.html. Each file was a complete webpage which seems to be spam content mixed with genuine blog page content. There was also an index.php.txt file which does a lot of stuff which I was in no mood to examine.
The important file, the one that makes the whole thing work is a .htaccess file. For those not in the know, this file is the Swiss-army penknife for web developers – it can make black into white and cure cancer – it can also take a mangled-looking url and make it go to a perfectly normal-looking webpage (and vice versa). Anyway, the job of this one was to take those odd looking SEO-spammy type urls and serve them up with a content-rich webpage – all without the website owner knowing a thing about it.
I dont have time to completely debug this issue, I’m just glad to have found it (thanks to Google’s ever vigilant search engine spam detection algorithms). If you get messages from Google relating to webpages that you dont recognize, check for .htaccess files like this one.