My blog has become a playground for filthy pornmongers!
April 11, 2008 12:54 PM Subscribe
How can I restore my totally disgustingly porn-hacked Wordpress blog to its former pristine state?
Ugh. My Wordpress blog, hosted by phpwebhosting, has been invaded by the grossest spammer on earth.
Every individual post has been altered, with hundreds of lines unspeakably filthy links, enclosed in div tags.
In addition, comments are continuously being posted to every post, which appear to be coming from me (the blog name as the commenter).
I am locked out Wordpress, insofar as I cannot edit posts, post new ones, or make any security changes (I tried turning off comments, putting my spam blockers at their highest security levels, etc.
I have been using MarsEdit (as once recommended to me by AskMe users--thank you!) to make new posts and go in to each post and delete the horrifying spam. But there are hundreds if not thousands of posts.
1. Help!
2. Is there a way to batch edit all the affected posts? It seems that there are a handful every 10 or 12 or so that have not been touched.
3. How do I get back into Wordpress and regain control of my blog?
4. Has this happened before? What is going on?
I am using Wordpress 2.04 but cannot update. I emailed the abuse line of the spammer's IP address but that won't help me with the situation on my end, but might get the spammer(s) to stop the madness.
Thank you so much.
Is there anything I can do? I contacted Wordpress & phpwebhosting and posted on the Wordpress support forums.
Ugh. My Wordpress blog, hosted by phpwebhosting, has been invaded by the grossest spammer on earth.
Every individual post has been altered, with hundreds of lines unspeakably filthy links, enclosed in div tags.
In addition, comments are continuously being posted to every post, which appear to be coming from me (the blog name as the commenter).
I am locked out Wordpress, insofar as I cannot edit posts, post new ones, or make any security changes (I tried turning off comments, putting my spam blockers at their highest security levels, etc.
I have been using MarsEdit (as once recommended to me by AskMe users--thank you!) to make new posts and go in to each post and delete the horrifying spam. But there are hundreds if not thousands of posts.
1. Help!
2. Is there a way to batch edit all the affected posts? It seems that there are a handful every 10 or 12 or so that have not been touched.
3. How do I get back into Wordpress and regain control of my blog?
4. Has this happened before? What is going on?
I am using Wordpress 2.04 but cannot update. I emailed the abuse line of the spammer's IP address but that won't help me with the situation on my end, but might get the spammer(s) to stop the madness.
Thank you so much.
Is there anything I can do? I contacted Wordpress & phpwebhosting and posted on the Wordpress support forums.
Unfortunately I don't know if this jives with the current WordPress database schema. I am using 2.5 and I will tell you what I can see and can remember from previous versions. If you can get direct access to your MySQL database then you a chance at getting an admin account back, but the fact that you can't upgrade a package that has known exploits is bad!
wp_users is the table that has all the passwords. In WordPress 2.3, they are stored as the MD5 hash of the actual password, so if you run the query UPDATE wp_users SET user_pass = MD5('yournewpassword')" you can at least get into the admin interface.
posted by mkb at 1:16 PM on April 11, 2008
wp_users is the table that has all the passwords. In WordPress 2.3, they are stored as the MD5 hash of the actual password, so if you run the query UPDATE wp_users SET user_pass = MD5('yournewpassword')" you can at least get into the admin interface.
posted by mkb at 1:16 PM on April 11, 2008
I emailed the abuse line of the spammer's IP address
Are they all coming from the same IP?
Do you own this blog? If so, you should be able to get yourself back in. Do you get phpMyAdmin access? I can walk you through some stuff... If it's all from one IP and you have phpMyAdmin access, it's maybe 45 seconds of work to make all their comments disappear. It gets harder if you don't.
Two thoughts:
- If you have database access (e.g., via phpMyAdmin), you can export the site's database, and then just do a new WordPress install. I don't know what is wrong with yours.
- You should check out the Akismet plugin for preventing spam in the future.
posted by fogster at 1:16 PM on April 11, 2008
Are they all coming from the same IP?
Do you own this blog? If so, you should be able to get yourself back in. Do you get phpMyAdmin access? I can walk you through some stuff... If it's all from one IP and you have phpMyAdmin access, it's maybe 45 seconds of work to make all their comments disappear. It gets harder if you don't.
Two thoughts:
- If you have database access (e.g., via phpMyAdmin), you can export the site's database, and then just do a new WordPress install. I don't know what is wrong with yours.
- You should check out the Akismet plugin for preventing spam in the future.
posted by fogster at 1:16 PM on April 11, 2008
You're not locked out of Wordpress if you're the administrator of your hosting account. At any time you can log in via FTP and rename the folders holding your WordPress files, breaking the spammer's ability to continue to post things. Or you can block their IP address in your htaccess file.
Anything you do *through* your WordPress install will not keep them out right now, since they're clearly exploiting a security hole in WordPress itself. Version 2.0.4 is almost two years old; there have been MANY security patches since then.
Once you block the spammer at the hosting level you can work on exporting your posts to a text file, cleaning out every piece of WordPress, and reinstalling a fresh copy of version 2.5 with a clean template from a safe source.
posted by bcwinters at 1:16 PM on April 11, 2008
Anything you do *through* your WordPress install will not keep them out right now, since they're clearly exploiting a security hole in WordPress itself. Version 2.0.4 is almost two years old; there have been MANY security patches since then.
Once you block the spammer at the hosting level you can work on exporting your posts to a text file, cleaning out every piece of WordPress, and reinstalling a fresh copy of version 2.5 with a clean template from a safe source.
posted by bcwinters at 1:16 PM on April 11, 2008
Every individual post has been altered
I think I misunderstood you. The actual posts are being vandalized with spam, as opposed to comment links? It sounds like you've been hacked. Back up the database and do a new install. (phpMyAdmin: you can click on the database, and then choose "Export," making sure that "Complete inserts" is checked. You may want to zip it for sanity, as it may be quite large.
And then do a whole new install with the latest version.
posted by fogster at 1:19 PM on April 11, 2008
I think I misunderstood you. The actual posts are being vandalized with spam, as opposed to comment links? It sounds like you've been hacked. Back up the database and do a new install. (phpMyAdmin: you can click on the database, and then choose "Export," making sure that "Complete inserts" is checked. You may want to zip it for sanity, as it may be quite large.
And then do a whole new install with the latest version.
posted by fogster at 1:19 PM on April 11, 2008
Why can't you update? You *really* need to stay on top of WordPress updates for the security of your blog.
posted by SansPoint at 1:22 PM on April 11, 2008
posted by SansPoint at 1:22 PM on April 11, 2008
There are two parts to your wordpress blog - one is the wordpress install with files on your web server - that includes your templates, images, wordpress files, etc. - and one is the mysql database that holds all the data from your blog and that is probably residing somewhere on phpwebhosting.
First off, take your site offline to stop further degradation. The fastest way would be to FTP into your web space and change the password/username in your wp-config.php file on the web server - then the database and your site would be de-linked and nothing further could be changed. Your site will be offline, but it would offer you some breathing room while you figure out what to do next. (Make sure you have the correct info written down somewhere first). Alternatively, ask phpwebhosting to change the password on your account and on the mysql database - which you probably want to do anyway, just to be safe.
What you do next would depend on how you are set up.
Why can't you update from WP 2.04 to 2.5?
When was the last time you did a backup of the data from your blog, using the Wordpress export feature?
Ask phpwebhosting if they do automatic backups of your mysql database, as they might be able to restore it from backups from before the spammer took over.
Do you have a copy of all your modified files - the templates, images, and any other modifications on your site?
posted by gemmy at 1:34 PM on April 11, 2008
First off, take your site offline to stop further degradation. The fastest way would be to FTP into your web space and change the password/username in your wp-config.php file on the web server - then the database and your site would be de-linked and nothing further could be changed. Your site will be offline, but it would offer you some breathing room while you figure out what to do next. (Make sure you have the correct info written down somewhere first). Alternatively, ask phpwebhosting to change the password on your account and on the mysql database - which you probably want to do anyway, just to be safe.
What you do next would depend on how you are set up.
Why can't you update from WP 2.04 to 2.5?
When was the last time you did a backup of the data from your blog, using the Wordpress export feature?
Ask phpwebhosting if they do automatic backups of your mysql database, as they might be able to restore it from backups from before the spammer took over.
Do you have a copy of all your modified files - the templates, images, and any other modifications on your site?
posted by gemmy at 1:34 PM on April 11, 2008
I'm not sure about Wordpress, but sadly, I had to move my blog from phpwebhosting late last year. I'd been a happy customer with them for years, when suddenly my site was inaccessible. After a few hours I sent them an email from the control panel of one of my other sites with them (since I couldn't even log in to the control panel). Somebody contacted me fairly quickly to say that my site was being hit upwards of 70,000 times a day with spam comments. Now, I'm using my own CMS and a captcha was rejecting every one of these comments, but that doesn't stop the abuser from sending the requests. Support was able to send me the logs, which showed that whoever it was was using open relays and changing addresses pretty frequently. So it was basically a deliberate DDOS attack. I asked phpwebhosting to restore ssh access so I could at least try to implement some rules in mod_security... but it took more than three days for them to grant me access to my own site again. (Full story here.) So I moved. phpwebhosting is great value, but sadly I found that their web-based customer service falls down when you need immediate support. :(
I just wanted to warn you that if you're expecting any help from phpwebhosting, you may be in for a frustrating wait...
posted by web-goddess at 9:53 PM on April 11, 2008
I just wanted to warn you that if you're expecting any help from phpwebhosting, you may be in for a frustrating wait...
posted by web-goddess at 9:53 PM on April 11, 2008
I'd upgrade to Wordpress 2.0.11, at least. I'm not sure if I'd trust 2.5 yet; the prior version, 2.3, had an urgent security upgrade roughly monthly.
I suggest requesting backups from your host, & a fresh installation.
posted by Pronoiac at 10:37 PM on April 11, 2008
I suggest requesting backups from your host, & a fresh installation.
posted by Pronoiac at 10:37 PM on April 11, 2008
Response by poster: Unfortunately I'm not backed up. The reason I didn't upgrade Wordpress is my site is so customized and the blog so integrated that any integral changes are beyond my ken. phpwebhosting seems like a good deal, and fine if you're technically quite literate, but I didn't build the site and I don't have any support (a friend built it).
Does anyone have any intel on http://install4free.wordpress.net/ ?
It was recommended to me as a good option for updating if I can't do it myself, but having been burned recently, I'm loath to trust anyone with my password.
I do have admin access. But I am unable to post or change posts. When I click "save" or "publish", I am taken to a blank page. The URL of the blank pg. is the "Create new post" URL but there is nothing but white space.
I do have Akismet AND SpamKarma2. Neither was any defense in this situation.
posted by Drohan at 2:22 PM on April 12, 2008
Does anyone have any intel on http://install4free.wordpress.net/ ?
It was recommended to me as a good option for updating if I can't do it myself, but having been burned recently, I'm loath to trust anyone with my password.
I do have admin access. But I am unable to post or change posts. When I click "save" or "publish", I am taken to a blank page. The URL of the blank pg. is the "Create new post" URL but there is nothing but white space.
I do have Akismet AND SpamKarma2. Neither was any defense in this situation.
posted by Drohan at 2:22 PM on April 12, 2008
You can make your own backup, though it will be cluttered. Backup your database & your files, & then you can raze without fear.
I'm not familiar with wordpress.net.
On the blank page, view source; see if there's anything there. "Select all" in your browser might help, if it's intentionally broken. A bit of searching also suggests that reloading might help - something about WP-Cache.
I'd suggest bringing it down, then putting it up fresh, piecemeal, as verified.
(Oh, and with div stuff, it can be hard to tell if the comments are screwing things up. I can't say without glancing at the source...)
posted by Pronoiac at 2:56 PM on April 12, 2008
I'm not familiar with wordpress.net.
On the blank page, view source; see if there's anything there. "Select all" in your browser might help, if it's intentionally broken. A bit of searching also suggests that reloading might help - something about WP-Cache.
I'd suggest bringing it down, then putting it up fresh, piecemeal, as verified.
(Oh, and with div stuff, it can be hard to tell if the comments are screwing things up. I can't say without glancing at the source...)
posted by Pronoiac at 2:56 PM on April 12, 2008
Oh yeah: a quick tutorial on the Wordpress database setup.
posted by Pronoiac at 3:00 PM on April 12, 2008
posted by Pronoiac at 3:00 PM on April 12, 2008
Aha! I was looking into this, because I run Wordpress too, & I was concerned.
"hundreds of vulnerable blogs being compromised every day." Despamming would be a temporary fix, you need to upgrade. 2.0.11 is patched against this (for anyone else wondering, see 2.1.3, 2.3.3, or 2.5).
posted by Pronoiac at 3:48 PM on April 12, 2008
"hundreds of vulnerable blogs being compromised every day." Despamming would be a temporary fix, you need to upgrade. 2.0.11 is patched against this (for anyone else wondering, see 2.1.3, 2.3.3, or 2.5).
posted by Pronoiac at 3:48 PM on April 12, 2008
You *really* need to stay on top of WordPress updates for the security of your blog.
Or, if you'd rather spend your time blogging than updating software, there are lots of good alternatives to WordPress, few of which have faced these kinds of exploited vulnerabilities. I've recommended Movable Type, since I work with that one, but there are other good tools, too. One nice thing about something like MT is that you can quickly do a search-and-replace on all of your entries for porn phrases to delete, once you've imported your blog into another tool.
posted by anildash at 6:53 PM on April 12, 2008
Or, if you'd rather spend your time blogging than updating software, there are lots of good alternatives to WordPress, few of which have faced these kinds of exploited vulnerabilities. I've recommended Movable Type, since I work with that one, but there are other good tools, too. One nice thing about something like MT is that you can quickly do a search-and-replace on all of your entries for porn phrases to delete, once you've imported your blog into another tool.
posted by anildash at 6:53 PM on April 12, 2008
Response by poster: Thanks for this info. I will try to delve into the Wordpress DB, and obviously back up the whole site, crapped up as it is.
I've looked into Movable Type (and used Typepad before), however, the Wordpress blog is so integrated into the larger website that I'm not sure I'd know where to begin to port the design of the site with the blog. But the idea of being able to do a search-and-replace is so enticing (esp. since the spam is all contained in div tags and I don' typically code those into the blog posts, so I could, ostensibly find a way to replace everything within those tags. Shouldn't there be way to do that in Wordpress?
The larger problem of not being able to post/edit is the most irritating. I go to www.mysite.com/wp-admin/post.php page, where I either write a new post or edit an old one. I end up at a blank scren with the exact same URL.
posted by Drohan at 3:18 PM on April 13, 2008
I've looked into Movable Type (and used Typepad before), however, the Wordpress blog is so integrated into the larger website that I'm not sure I'd know where to begin to port the design of the site with the blog. But the idea of being able to do a search-and-replace is so enticing (esp. since the spam is all contained in div tags and I don' typically code those into the blog posts, so I could, ostensibly find a way to replace everything within those tags. Shouldn't there be way to do that in Wordpress?
The larger problem of not being able to post/edit is the most irritating. I go to www.mysite.com/wp-admin/post.php page, where I either write a new post or edit an old one. I end up at a blank scren with the exact same URL.
posted by Drohan at 3:18 PM on April 13, 2008
This thread is closed to new comments.
If you don't have admin access, you're going to need to either create an admin account or change your account to an admin account from within the MySQL database. I haven't touched WordPress in ages so I'm not familiar with the current database structure. Hopefully someone on the forums can help you out with that.
posted by junesix at 1:05 PM on April 11, 2008