[wp-hackers] Porn links in google cache

Dre Armeda feeds at armeda.com
Thu Jul 14 16:32:58 UTC 2011


Well, I can't get into who is at fault or not here, not sure your role. 
I can however tell you that typically this happens when the site is 
running an outdated version of software (This string is not exclusive to 
WordPress). Variations of the attack happen through FTP credential 
hijacking (Don't use FTP, use a secure alternative like sFTP/SSH. If you 
must, don't save your credentials in your client), others we've seen 
have spread because the hosting provider has no business being a hosting 
provider (Choose your home wisely).

A lot to consider. What I recommend is ensuring their software is up to 
date, and stays that way. Secondly, but just as important, make sure 
they are using very strong passphrases, it will help mitigate the risk.

The SEO hit isn't as bad as you'd think, if handled quickly. Not sure 
how they've been affected already but it doesn't take too long to get 
cleaned up all around.

Dre

On 7/14/11 9:21 AM, Justin W Hall wrote:
> Great. Hard enough explaining to my client this isn't really my fault once. I'm sure two or three times down the road it's not going to get much better. The SEO hit is what's really going to be hard pull to swallow.
>
>
>
> On Jul 14, 2011, at 12:14 PM, Dre Armeda<feeds at armeda.com>  wrote:
>
>> It most likely is the Pharma hack from the sound of it. It was definitely popular last year, but it hasn't gone away. We're still seeing it daily but in varied capacities. The string mutates constantly, and is still very relevant.
>>
>> There are plenty of resources online to clean it up as noted. The thing to make sure of is that you find/remove all of the backdoor files that usually come with the malicious payload. This can be painful because they vary considerably. They vary in name, size, code base, insertion points, etc. The malicious payload is usually more obvious and simple to find, but if you don't clean up the backdoor files, you're likely to get reinfected. At minimum, the risk is high for recurring issues.
>>
>> Hope this helps,
>> Dre
>>
>> On 7/14/11 8:58 AM, Chip Bennett wrote:
>>> Absolutely poor HOST security, or poor USER security (FTP credential
>>> hijacking, etc.).
>>>
>>> Google has your
>>> back<http://www.google.com/#hl=en&xhr=t&q=wordpress+pharma+hack&cp=13&qe=d29yZHByZXNzIHBoYQ&qesig=6Z1sXovPDxfD25y-JQq8Wg&pkc=AFgZ2tnyqGRfkS3Tz14xULOprlN1qYlU_oAAipQplVIPS6_lZCulggI5VWplaaFsyOe9P6blbseW_C3_5Rp1adH3Cy9xiZb5-w&pf=p&sclient=psy&newwindow=1&safe=off&source=hp&aq=0&aqi=g5&aql=&oq=wordpress+pha&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=2b8480a1095a616e&biw=1280&bih=903>for
>>> researching the hack, and how to clean it up.
>>>
>>> On Thu, Jul 14, 2011 at 10:45 AM, Justin W Hall<justin at justinwhall.com>wrote:
>>>
>>>> Thanks Chip-
>>>>
>>>> Can you elaborate a little? Is this a result of poor HOST security or poor
>>>> WP security?
>>>>
>>>>
>>>>
>>>> On Jul 14, 2011, at 11:28 AM, Chip Bennett<chip at chipbennett.net>   wrote:
>>>>
>>>>> Google for the WordPress Pharma hack that went around last year or so.
>>>> This
>>>>> sounds exactly like that.
>>>>>
>>>>> Chip
>>>>>
>>>>> On Thu, Jul 14, 2011 at 10:20 AM, Justin W Hall<justin at justinwhall.com
>>>>> wrote:
>>>>>
>>>>>> Hey folks-
>>>>>>
>>>>>> It's been brought to my attention that when a site a recently worked in
>>>> is
>>>>>> viewed via google cache, there is a whole list of mostly porn related
>>>> links
>>>>>> that have been added to the bottom of the pages that obviously do not
>>>> exist
>>>>>> on the page. My questions:
>>>>>>
>>>>>> 1) how does this happen? Host related malware?
>>>>>>
>>>>>> 2) what us the best way to go about fixing this.?
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>>
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list