A lovely hacker edited my templates and added code that injects spammy links in my pages for visits from search engines. The links are hidden to viewers but seen by search engines. As a result, Google de-indexed my blog.

I removed the offending code but to prevent further hacks I’m also updating to WordPress 2.5 ahead of schedule, fuckups might happen. At the moment of writing, all accented characters, curly quotes and apostrophes are borked. Working on it.

[Update] Fixed


hugh April 7, 2008

ouch. that means i have some – shudder – updating to do.

Marie-Claude April 7, 2008

C’est donc ça qui est arrivé! Tu avais raison finalement; ce n’était pas normal!

Blork April 7, 2008

Hey, how about a PSA that shows us what the hack looks like so people know what to look for when they check to make sure they’re not being de-indexed?

Patrick April 7, 2008

wtf is a PSA?

Blork April 7, 2008

Public Service Announcement.

Cuz I have no idea what to look for in a case like this. Was it a database hack? A PHP file hack? What is the code in the hack? What do I search for? (etc.)

Denis Canuel April 8, 2008

Some people give free templates that have a “backdoor” to include such links. It’s not very easy to figure out unless you parse the source code file by file. Evil plugins can do this too…

Laurent LaSalle April 8, 2008

C’est ton cue pour tes premières impressions sur WordPress 2.5…

Laurent LaSalle April 8, 2008

@Blork It was an oooooold flaw that was already patched.

Patrick April 8, 2008

It wasn’t _that_ old, I was 2 versions behind (plus some minor bug fix versions). Certainly, I should have been more up to date oooooooold would imply no one but a few are on that and I’m sure loads are still on versions with that flaw.

Premières impressions: je trip pas du tout. J’aime les couleurs et le type d’interface mais j’utilisais Tiger admin et je trouve que le nouveau design est un peu désaligné, les morceaux parfois semblent pas fitter ensemble, c’est moins fini.

Blork April 8, 2008

So this was the vulnerability that 2.3.3 fixed? (If so, I’m safe.)

Laurent LaSalle April 9, 2008

À vrai dire je pensais que c’était une vulnérabilité de 2.1, alors oui j’ai exagéré un peu le ooooooold, désolé! Mais en même temps, c’était pour souligner le fait qu’un Public Service Announcement était inutile.

Pour ma part je n’utilisais pas d’alternatives au niveau de l’admin, alors je reçois cette nouvelle version à bras ouverts. Faudrait que je compares avec Tiger admin comme tu dis; dois-je comprendre que cette interface n’est pas compatible avec la nouvelle version?

Patrick April 9, 2008

J’ai pas essayé encore, je veux vivre un peu avec 2.5 avant.

Jeremy Clarke April 10, 2008

Same thing happened to GV, they were very very persistent about it and kept exploiting our user accoutns (caue there’s hundreds).

For the record, we were running 2.3.1, just 0.0.2 away from the fix that closed the hole they exploited. The lesson: point releases are as important as version releases, stay up to date on the 0.x so that when the 0.x.x comes out it’s easy and safe to update to it.

Good work on stopping them. I recommend checking your pages now and then for the js in case they come back.

Comments closed