Tags:





Spammers III: The Takeover
July 18, 2009 9:46 AM   RSS feed for this thread Subscribe

I have a Wordpress site. In spidering the site, and coming up with the little synopsis underneath the title, Google, Bing and Yahoo all believe that it's not a personal Web site but a spammy list of prescription drugs for sale. I don't understand why.

My site is described by major search engines as:

"Keftab No Prescription Mentat For Sale Buy Superman No Prescription Buy Trimox Online Buy Online Remeron Avapro No Prescription Lexapro For Sale Buy Flonase ..."

I thought maybe the GoogleAds had overtaken the search hits, so I deleted them months ago. But still with the Mentat For Sale!

Then I tried setting up Akismet controls, because my old blog comments, in my neglect, had become flooded with spam. I also turned off comments completely. I thought maybe Google had mistaken the spam comments for crucial keywords being discussed in the forums. I don't think that was it, either.

Those lists of drugs also show up in Google caches of individual post pages. But when you go to them, they're nowhere to be seen, with a message of "These terms only appear in links pointing to this page."

The creepiest thing yet is that in one cache, a Wordpress post showed up with the title intact, but the body of the post completely replaced by spam.

Could this be an insidious spam takeover that goes beyond just bad SEO on my long-gone GoogleAds, and months-long delays before Google realizes the ads are gone? How do I flush this stuff out?
posted by Kirklander to computers & internet (12 comments total)
This happened to one of my sites. You need to upgrade to the latest version of wordpress, there was a vulnerability that allowed this to happen. You'll likely have to go into your theme editor and clean up your templates as well.
posted by davey_darling at 9:50 AM on July 18 [2 favorites]


Oh OK, I was looking through my template for bits of code that could make this stuff happen, but so far no luck. Wonder what to look for.
posted by Kirklander at 9:57 AM on July 18


Check inside your wordpress database. That happened to one of my sites before as well, and it turned out the spammer had appended a whole bunch of spammy links to some of the database entries (wish I could remember which table specifically, sorry). Try doing a search for one of the drug names. And definitely upgrade to the latest version of WP.
posted by estherbester at 10:12 AM on July 18


Fascinating, I'll check the database.
posted by Kirklander at 10:13 AM on July 18


If it is SQL injection, check the html of your posts (i.e. go into edit view of your posts and look at them in the html tab/view. At the bottom you may see a whole bunch of spam info. Delete the bad html text and re-save the post.

If that's not the problem, you may have better luck searching for the version of Wordpress you have and spam vulnerabilities to see how to address your specific issue.
posted by qwip at 10:14 AM on July 18


What version of Wordpress are you running? I'd look at the source of the page. Could you link or Mefimail the website to me?
posted by Pronoiac at 10:56 AM on July 18


Dunno if this will help. The above comments are apropos. My problem on Wordpress is that my description on Google was the default 'powered by Wordpress' blurb that a default Wordpress installation has in its meta tag. At least I think that is where it got spidered from.

I used the WP Google xml site notification plugin to notify Google before I had the site properly set up. I also use All in One SEO to control the meta tags. So, after the description was wrong, I fixed the problem, renotified Google of a change in my site, got respidered and the description updated.

When you get things resolved on the back end, I would suggest doing this.
posted by diode at 11:02 AM on July 18


This may help you. It sounds like you got hit by the wordpress referrer hack. If you come in via a direct link your site looks normal, if you come in from a google search result, you would get redirected to a spam site.

Clean up the mess they made and then upgrade your wordpress is how to fix this.
posted by bottlebrushtree at 11:27 AM on July 18


OK, from that thread, it looks like I am an idiot who didn't upgrade his WP and faced the consequences. Thanks, everyone. (And for some reason can't figure out why I can't find my Wordpress database among the others at mysqlsubdomain.mydomain.com, but I hope that's another story.)
posted by Kirklander at 11:35 AM on July 18


p.s. I got into the DB and am only finding the drug names in spam comments, not in other MySQL tables.
posted by Kirklander at 12:08 PM on July 18


You shouldn't have to go into the database - they have modified your template files.

Check header.php, index.php and comments.php - the added spammy bits will be instantly recognizable. If you have updated your wp install and you remove those bits, you should be fine - your google index snippet will be updated sooner or later.
posted by davey_darling at 1:06 PM on July 18


I got your email, & checked your site & the Google cache of it. The cache has invisible "Mentat for Sale" links in it (near the top: visible via "view source" & in links, a text-only browser), but it's not there in the live site. Both places say that you're running Wordpress 2.8.1, the latest stable version.

I'd move the current installation to another directory & re-download & reinstall Wordpress & the theme. I'd look for recently changed files, & also manually edit the entries to look for spam.
posted by Pronoiac at 2:05 PM on July 18 [1 favorite]


« Older Any Civ IV players out there? ...   |   where can I get a handkerchief... Newer »

You are not logged in, either login or create an account to post comments