List of Compromised Blogs

The blogs listed in this Google Document are unwittingly participating in a spam-link exploit.  They may currently be hosting many online store landings (usually within their /themes/ /lang/ or /med/ directories, and if they are WordPress blogs, their wp_footer() is serving hidden spam links.

These blogs load slowly, as they “phone home” to retrieve new spam directives, and they get down-rated at search-engines like Google for being part of a spam link farm.

The explanation of the headers at the Google Document above is:

Column Description
Notified Whether or not the blog owner has been notified of the exploit.
Base URL The landing page of the blog with the list of hidden spam links.
Code The HTTP Status Code of the Base URL. An empty field is the same as 200 (OK), your website loads fine (maybe slowly if the next cell is “yes”).
Spam Links Whether or not the footer spam links were detected. If “yes” view the source of your webpage to see them.
Example Store The URL to a store (usually one of many) hidden at this site.
Code The HTTP Status Code of the store URL. An empty field is the same as 200 (OK), which is bad. You want a 404 (Not Found) for this page that you didn’t create.
Date Verified The last time the exploit crawler visited this domain.


If you are the maintainer of one of these blogs, you should remove the modified code at your blog and remove the backdoor allowing the attack.  Upgrading your installation does not remove the existing backdoor.  The backdoor can be used again after you’ve cleaned your blog.  The backdoor usually relies on an eval() call, you can search for suspect code with this expression:

find . -name \*.php | xargs grep -nI "\(base64_decode\|eval\)"

That’ll find a lot of exploits. But many backdoors are much more cleverly hidden.

Posted in Uncategorized | 3 Comments