Skip to content

Random Connections

A collection of photography and exploration focusing on Upstate South Carolina and beyond.

  • Home
  • About Us
  • Photos
  • Resources
  • Other Voices
  • Post Archives
  • Home
  • Rants
  • Spam Injection

Spam Injection

Posted on February 15, 2012 By Tom 4 Comments on Spam Injection
Rants

I knew it was going to be a rough day.  The coffee maker didn’t start on time, I cut myself shaving, and my watch stopped working.   Then, to top it off, I found that this website had been hit by a spam injection hack attack.  I was tempted to crawl back into bed.

I first noticed this a couple of days ago.  If you’ve ever looked at the sidebar to the site, you see that I use the Feedjit script to show who visits the site.  This past weekend I noticed a couple of weird links, something like this…

Random_Connections_Spam 2

When I clicked on the link it took me to one of my own posts.  However, there was nothing on the site to indicate an errant link or an active spam comment.

Then, on my WordPress dashboard I started seeing the following incoming links:

Random_Connections_Spam 3

Now I knew something was wrong.

A spam injection hack targets WordPress users.  Malicious code can be inserted either into the PHP files on the website, or into the content database itself.  The code generates links to spam websites.  However, these links are hidden from view unless you do a “view page source” on an infected page or post. The spammy keywords and links would like something like this in the post:

MWSnap035-2012-02-15,-12_11_33_cropped

OK, so the stuff’s hidden, and there are no real active links on your site.  So, what harm is it doing?  Well, for one thing it will completely throw off your search engine rankings.  Folks searching for your site won’t be able to find the real content.  The malicious code may eventually cause problems with your website being able to load properly as more and more of this junk accumulates.

How can you tell if your site has been infected?  If you have incoming link checkers like the ones I described above, these will help.  Another way to check is to go to Google and type “site:yourdomain.com viagra” or “site:yourdomain.com cialis” and see what comes up (so to speak.)  I found that these pointed to an unsettling number of my posts.

MWSnap035 2012-02-15, 12_11_33

Clicking on any of these links takes you to one of your normal posts, where you most likely won’t see any sign of the infection.

There are lots of great suggestions online for cleaning up an infected website. Unfortunately, this is not a trivial process.  In phpAdmin I ran several queries on the WordPress database tables to make sure that they didn’t contain any malicious code.  One thing the experts say to search for is instances of <iframe>.  Well, that’s a problem, because most embed codes, including YouTube and Google Maps, all use <iframe>.  Fortunately, my WP database seemed clean.

I then did a complete re-install and re-build of WordPress on my site.  That involved deleting all of the files off of my host, then installing a clean set of WordPress files.  I installed new versions of my themes and plugins, keeping nothing from the infected site.  I also made sure I changed my admin password for both the site and the database, just in case.

It looks like I was lucky, and caught the problem in time.  The Google page rank for the site is still high, and the last spam link from Feedjit was last night, before I started the cleaning process.  Google is still showing links to my site based on spam keywords, but those won’t go away until Google crawls those sites again.  I did a spot check on several of them, and the page source code doesn’t show any problems.

This has really been a pain, and to what end?  Do people really buy drugs from these types of links??  Are they that desperate or stupid?  I guess all it takes are a few idiots to make all this spamming worthwhile for the spammers.  In the meantime, legitimate sites like this one come to a crashing halt.  I’m about ready to switch completely over to my handwritten journal and have people come visit if they want to see what I’ve written.

UPDATE:

I checked my blog stats this morning, and I got the first evidence that all my cleaning paid off. There were several entries in my Feedjit stats similar to the one below:

RandomConnections Spam 5

While this may look like I’ve still got spam links, here’s why those stats are good news. Google still has some links to the site in cache, so if you do a search for a particular medicine, it would still return a link to RandomConnections. However, this stat shows the actual NAME of the post. Previously the post name would have been replaced by some other garbage. This lets me know that the infection is no longer present. I guess my own medicine worked.

Tags: Rants spam Wordpress

Post navigation

❮ Previous Post: Google Earth and Google Plus
Next Post: Pixlr Photo Editing ❯

4 thoughts on “Spam Injection”

  1. Ken Cothran says:
    February 15, 2012 at 7:05 pm

    I don’t see how spammers could inject code into the WP software or the site itself. I’ll admit I don’;t know much about PHP – used it once because it was already in place. But sounds like there are some serious security vulnerabilities in the ISP or the software itself. (Dang, can I state the obvious! 😉 )

    Reply
  2. jeremy says:
    June 15, 2012 at 8:21 pm

    Great info; hopefully this helps all the others who’ve had this kind of problem. I had the exact same thing happen to me. I took the same steps. It appears i’m clean now and have been since i did the work a couple months ago, but i’m still getting the spammy incoming links on that dashboard widget. Le sigh.

    Reply
    1. Tom says:
      June 15, 2012 at 10:24 pm

      Jeremy – I’m sure my blog is clean now, but I still get those links, too. Unfortunately, you can’t control the text someone uses to link to your site.

      Reply
  3. Kimberly says:
    April 9, 2013 at 5:13 pm

    It’s important to search for the word, “loan,” as well. Payday loan spam is as common as drug spam. Also, a plugin was just found to have a spam injector that almost a million people have downloaded: http://www.viruss.eu/web-malware/wordpress-plugin-social-media-widget-hiding-spam-remove-it-now/

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Categories

  • EdTech (200)
  • Entertainment (202)
  • Family (121)
  • Gear (115)
  • General Technology (99)
  • Geocaching and Maps (208)
  • History and Genealogy (266)
  • Internet (144)
  • Local (451)
  • Miscellaneous (550)
  • Music (196)
  • Paddling (248)
  • Photography (779)
  • Podcast (6)
  • Rambling (227)
  • Rants (161)
  • Recipes (34)
  • Religion (48)
  • Restaurants (165)
  • Science (48)
  • Things Overheard (29)
  • Travel (411)
  • Uncategorized (129)
  • Washington Sabbatical (113)
  • Weirdness (60)

Recent Posts

  • In Search of the Road Builder
  • The Phoenix Riots and Dr. Benjamin Mays – An MLK Day Ramble
  • An Obsession with Steak Knives
  • An Epiphany on Patriotism
  • Kayaking Bates Old River and Running Creek

Recent Comments

  • Kris Chappell on The Sad Fate of Chappells
  • Joel Nagy on Old Pickens Court House
  • Derek May on The Haunting of Farr’s Bridge
  • Roger Combs on Mystery Cemetery
  • Roger Combs on Mystery Cemetery

Tags

blogging cemetery Christmas Columbia Edisto River edtech Entertainment family Flickr Florida Furman Furman University gear Georgia geotagging Ghost Town Ghost Towns Google Earth Google Maps GPS Greenville Greenville Chorale history Instructional Technology kayaking Lake Jocassee LCU Lowcountry Unfiltered maps Music North Carolina Paddling Photography rambling restaurant Restaurants review singing social networking South Carolina time-lapse Travel video Washington Washington State
February 2023
S M T W T F S
 1234
567891011
12131415161718
19202122232425
262728  
« Jan    

Copyright © 2023 Random Connections.

Theme: Oceanly by ScriptsTown