[wp-hackers] Porn links in google cache

Justin W Hall justin at justinwhall.com
Thu Jul 14 16:39:27 UTC 2011


It's a new wordpress install with 301 redirects from the old HTML site. Not older then two weeks - Old host though.  

Thanks for the help. 



On Jul 14, 2011, at 12:32 PM, Dre Armeda <feeds at armeda.com> wrote:

> Well, I can't get into who is at fault or not here, not sure your role. I can however tell you that typically this happens when the site is running an outdated version of software (This string is not exclusive to WordPress). Variations of the attack happen through FTP credential hijacking (Don't use FTP, use a secure alternative like sFTP/SSH. If you must, don't save your credentials in your client), others we've seen have spread because the hosting provider has no business being a hosting provider (Choose your home wisely).
> 
> A lot to consider. What I recommend is ensuring their software is up to date, and stays that way. Secondly, but just as important, make sure they are using very strong passphrases, it will help mitigate the risk.
> 
> The SEO hit isn't as bad as you'd think, if handled quickly. Not sure how they've been affected already but it doesn't take too long to get cleaned up all around.
> 
> Dre
> 
> On 7/14/11 9:21 AM, Justin W Hall wrote:
>> Great. Hard enough explaining to my client this isn't really my fault once. I'm sure two or three times down the road it's not going to get much better. The SEO hit is what's really going to be hard pull to swallow.
>> 
>> 
>> 
>> On Jul 14, 2011, at 12:14 PM, Dre Armeda<feeds at armeda.com>  wrote:
>> 
>>> It most likely is the Pharma hack from the sound of it. It was definitely popular last year, but it hasn't gone away. We're still seeing it daily but in varied capacities. The string mutates constantly, and is still very relevant.
>>> 
>>> There are plenty of resources online to clean it up as noted. The thing to make sure of is that you find/remove all of the backdoor files that usually come with the malicious payload. This can be painful because they vary considerably. They vary in name, size, code base, insertion points, etc. The malicious payload is usually more obvious and simple to find, but if you don't clean up the backdoor files, you're likely to get reinfected. At minimum, the risk is high for recurring issues.
>>> 
>>> Hope this helps,
>>> Dre
>>> 
>>> On 7/14/11 8:58 AM, Chip Bennett wrote:
>>>> Absolutely poor HOST security, or poor USER security (FTP credential
>>>> hijacking, etc.).
>>>> 
>>>> Google has your
>>>> back<http://www.google.com/#hl=en&xhr=t&q=wordpress+pharma+hack&cp=13&qe=d29yZHByZXNzIHBoYQ&qesig=6Z1sXovPDxfD25y-JQq8Wg&pkc=AFgZ2tnyqGRfkS3Tz14xULOprlN1qYlU_oAAipQplVIPS6_lZCulggI5VWplaaFsyOe9P6blbseW_C3_5Rp1adH3Cy9xiZb5-w&pf=p&sclient=psy&newwindow=1&safe=off&source=hp&aq=0&aqi=g5&aql=&oq=wordpress+pha&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=2b8480a1095a616e&biw=1280&bih=903>for
>>>> researching the hack, and how to clean it up.
>>>> 
>>>> On Thu, Jul 14, 2011 at 10:45 AM, Justin W Hall<justin at justinwhall.com>wrote:
>>>> 
>>>>> Thanks Chip-
>>>>> 
>>>>> Can you elaborate a little? Is this a result of poor HOST security or poor
>>>>> WP security?
>>>>> 
>>>>> 
>>>>> 
>>>>> On Jul 14, 2011, at 11:28 AM, Chip Bennett<chip at chipbennett.net>   wrote:
>>>>> 
>>>>>> Google for the WordPress Pharma hack that went around last year or so.
>>>>> This
>>>>>> sounds exactly like that.
>>>>>> 
>>>>>> Chip
>>>>>> 
>>>>>> On Thu, Jul 14, 2011 at 10:20 AM, Justin W Hall<justin at justinwhall.com
>>>>>> wrote:
>>>>>> 
>>>>>>> Hey folks-
>>>>>>> 
>>>>>>> It's been brought to my attention that when a site a recently worked in
>>>>> is
>>>>>>> viewed via google cache, there is a whole list of mostly porn related
>>>>> links
>>>>>>> that have been added to the bottom of the pages that obviously do not
>>>>> exist
>>>>>>> on the page. My questions:
>>>>>>> 
>>>>>>> 1) how does this happen? Host related malware?
>>>>>>> 
>>>>>>> 2) what us the best way to go about fixing this.?
>>>>>>> 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> wp-hackers mailing list
>>>>>>> wp-hackers at lists.automattic.com
>>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>>> 
>>>>>> _______________________________________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>> 
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list