Thanks for the pageviews, no thanks for the spam.
August 5, 2009 6:26 AM   Subscribe

I have been getting weird Wordpress referrer spam the last 4 days, but there are no injections or anything of the like on my site.

I have a site running wordpress. No comments or users, I'm using it as a simple CMS.

I'm using the StatPress plugin to check out who is coming to the site. This morning, I noticed an abnormally large number of visitors the last few days.

People seem to be visiting pages like mysite.com/?myfjkfosljfsfjd (NB : not a string I've seen, just an example). When clicked, it will go to my homepage. Checking the source, there is nothing out of the ordinary (no spam links, etc). If you google that end string by itself, you get one result, to my site, with a summary that lists a whole bunch of viagra type words.

Any idea what is going on, and how I can stop this?

I was running 2.8.2, upgraded to 2.8.3 this morning.

You can get my details from my userpage if you want specifics.
posted by tip120 to Computers & Internet (5 answers total) 1 user marked this as a favorite
 
Lots of these random drive-by probes are just to test and collect various possible holes in applications, or to force a 404 error that will betray server type, OS, version, etc.

But the summary with viagra-y results is odd, esp. if you're saying the Google results are pointing to your page but contain words and info that aren't found on your WP site. Can you post the string/resulting viagra-y example so we can take a closer look?

And what's the offending IP? Places like httpbl may have some info on the offending IP and their methods.
posted by bhance at 1:59 PM on August 5, 2009


Actually, nevermind - I see what you mean after poking around your profile and Google. And it's the cache of the page that points to a page that has a bunch of spamminess in it.

This seems to describe the same attack, but it is a bit dated. (see also). That isn't a 100% answer but it looks very similar.
posted by bhance at 2:19 PM on August 5, 2009


Thanks bhance. Most references I see are related to like 2 years ago, and refer to upgrading to WP 2.5. None of them explicitly deal with this situation. I changed the mySQL and admin passwords, just a a precaution, but I am still seeing this crap poke through.

http://spamcheckr.jungleg.com/ (which your links refer to), finds no issues.
posted by tip120 at 7:19 PM on August 5, 2009


Have you examined your raw weblogs for anything funky looking?
posted by bhance at 8:05 PM on August 5, 2009


Christ. What a fucked thing. Found, buried in the footer, a weird string that led to 2 bogus php files, one called search.php, the other was default-filterst.php

Scary thing is that they led to the server root.

passwords, etc. changed. no write access for anyone.

Thanks for your help
posted by tip120 at 8:21 PM on August 5, 2009


« Older How should I travel from Yosemite to Las Vegas...   |   Help me identify what is growing on my feet! Newer »
This thread is closed to new comments.