[adjective][species] was compromised last night through a template loader bug in WordPress.  The only effect that we have seen from the compromise was that spam links were injected at the top of the page, visible only to users on certain IP ranges (notably Google; the goal being to boost spam sites’ popularity in the search engine).  This appears to have been an automated attack on several WordPress sites on our host, and no data has been compromised, however, this should serve as a reminder to practice Safe Password!

If you run WordPress and find yourself in a similar situation, here are the steps required to clean it up:

  1. Search for the exploit in your installation.  It looks like this at the top of your template’s index.php file.  If you have access to the command line, you can check for it with the following command:
    find . -name *.php -exec grep -q "mx_start" {}\; -print
  2. Clean the files by removing the block.  If you’d like to automate the process, here is a python snippet for doing so:
    import re
    import sys
    
    f = open(sys.argv[1], 'r')
    text = f.read()
    f.close()
    
    pattern = re.compile(r'<\?php /\*mx_start.*mx_orig_end\*/ \?>', re.MULTILINE|re.DOTALL)
    print pattern.sub('', text)
    

    Run it automatically by saving it as demx.py, and using bash like so:
    for i in `find . -name *.php -exec grep -q "mx_start" {} \; -print`; do python demx.py $i > $i.demx; mv $i.demx $i; done

Meta

About Makyo

Makyo spends her time as a frumpy arctic fox, usually, but she's all over the map. She's been around furry since about 2000 under a variety of names. She writes, programs, and screws around with music.

Before posting a comment, please read our Code of Conduct

One thought on “Recent Spam Links

  1. Hi i just tried this find command and i got this result:
    find: missing argument to `-exec’
    what i’m doing wrong?

Leave a Reply

Your email address will not be published. Required fields are marked *