List of Compromised Blogs

The blogs listed in this Google Document are unwittingly participating in a spam-link exploit.  They may currently be hosting many online store landings (usually within their /themes/ /lang/ or /med/ directories, and if they are WordPress blogs, their wp_footer() is serving hidden spam links.

These blogs load slowly, as they “phone home” to retrieve new spam directives, and they get down-rated at search-engines like Google for being part of a spam link farm.

The explanation of the headers at the Google Document above is:

Column Description
Notified Whether or not the blog owner has been notified of the exploit.
Base URL The landing page of the blog with the list of hidden spam links.
Code The HTTP Status Code of the Base URL. An empty field is the same as 200 (OK), your website loads fine (maybe slowly if the next cell is “yes”).
Spam Links Whether or not the footer spam links were detected. If “yes” view the source of your webpage to see them.
Example Store The URL to a store (usually one of many) hidden at this site.
Code The HTTP Status Code of the store URL. An empty field is the same as 200 (OK), which is bad. You want a 404 (Not Found) for this page that you didn’t create.
Date Verified The last time the exploit crawler visited this domain.

 

If you are the maintainer of one of these blogs, you should remove the modified code at your blog and remove the backdoor allowing the attack.  Upgrading your installation does not remove the existing backdoor.  The backdoor can be used again after you’ve cleaned your blog.  The backdoor usually relies on an eval() call, you can search for suspect code with this expression:

find . -name \*.php | xargs grep -nI "\(base64_decode\|eval\)"

That’ll find a lot of exploits. But many backdoors are much more cleverly hidden.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to List of Compromised Blogs

  1. Woolwit says:

    Very cool that you built the script and publicized the hacked sites. It would be interesting to also see where the sites were hosted. One might be able to determine which hosts are being targeted OR have better security in place.
    My problem is that I don’t know whether a match for ‘eval’ or ‘(base64’ necessarily lead to a back door or are part of legit plugin code. For instance both phrases match plugins I installed to beef up security. I’m not a coder. It took me 5 days to clean my DreamHost account. The experience has taught me to go easy on my WordPress experiments. But maybe also put me off WordPress and php altogether.

  2. Wow, it’s been a long time since I’ve seen this. My sites seem to have been cleaned up. I think a problem I had was that one of my directories allowed global write access. From there, existing php files were being automatically modified.

    I wish I could be more helpful. I am glad that most of these compromised sites got cleaned up, though.

    I mentioned this site from my livejournal account.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s