Spammers Hack Blogs

Blog spammers have sunk to new lows.

Nivi Spam SourceNivi, a blog I’m subscribed to, was showing dozens and dozens of entries being updated even though there was no discernible difference. However as I started looking closer, I noticed if you view the source, for example on this post, there is are ton of spam links there. You can click the screenshot to the left.

The implications of this are disturbing. His blog was hacked (which isn’t unusual and could have been for a thousand reasons like another account on his server being hacked, and old version of phpBB or other software) but instead of doing anything obvious to disturb the content of the site they invisibly modified his posts using CSS-hidden text. He has probably had hundreds of posts modified. I can’t imagine cleaning it up will be pleasant.

28 thoughts on “Spammers Hack Blogs

  1. Now I feel less secure. Excuse me while I go and change my password.

    Seriously, though — I have to wonder if this is such a big deal. For Nivi, of course it’s a huge issue, but for bloggers in general is it much of a threat? I’m going to place my bets on the majority of attacks (if you will) like this being to blame on a bad password (dictionary hack, probably).

    The implications are disturbing, I agree. At best it means that spammers are going to even greater lengths, now, to do what they do best (worst?). Worst-case scenario is that this is going to be the new trend for people doing the spamming. If that’s the case, I suspect and similar blogs will be the first targetted given the very public nature of them — sign up, log in, and you’re set. As such, you can’t really count on the technical know-how of their users.

    If it is the case that this is going to be a sort of epidemic, then the best defense is probably going to simply be picking stronger passwords and ensuring you aren’t running any extremely insecure software on your site. Anything more and it’s probably overkill as far as I’m concerned, but even so I figure you should change your password at least once every few months.

    The thing about spammers is that, unlike the people who hack to abuse others work (I think the popular term was ‘crackers,’ but honestly I can’t stand saying that), they want to maintain the integrity of the original site, otherwise it’ll fall into a slump and get ignored, which is obviously something that won’t benefit them. Chances are they’ll try to make any and all changes as inconspicuous as possible, and as a result have them go undetected. So, I don’t think people will have to worry about them destroying entire blogs at the least.

    Just my two cents, incoherent as it may be.

  2. I actually had something similiar to this happen to my wedding blog, and I would have never noticed unless the spammers hadn’t screwed up and inadvertantly ruined my theme. I know in my case it had been because I’d forgotton to update to the newest version of WP because I wasn’t really actively using that blog.

  3. This is exactly what happened to me five months back (I posted about it on one of the WP mailing lists), and if I remember correctly, the same spammer domain name was involved. If I remember correctly, the hidden spam was inserted after the next-to-last closing </p> of every post, and the access patterns made it look like a script was at work. Someone saw my old posts show up as new with the spam links in Bloglines, as seen here, and alerted me to the situation.

  4. I think the core thing here is spammers are getting much sneakier, and willing to go much further. I don’t know if this means that current measures are working to an extent, or if they’re just really evil.

    I’ve emailed Nivi, until we know what caused it I wouldn’t panic about changing your password or something.

  5. Yes, I was running 1.5.2 up until a few weeks ago. I hired Mark Jaquith to upgrade me to the latest revision of WordPress and he is awesome.

    My templates were even hacked! Not just the blog posts.

    By the way, I don’t think it was a man-on-the-inside attack as I think my permissions on Dreamhost are in decent shape.

    Now that I am on 2.0.4 I have recently gotten a few weird circular trackbacks from my some of my blog posts to themselves. I’m not sure what is causing that.

  6. How difficult would it be for WordPress (for example) to check all of it’s files as soon as it’s installed (including the active theme and plugins), generating sizes and MD5 sums and placing all that info in the database? Then, if any of the files are changed (for speed, this check maybe only occurs when you login to the admin section), a warning bar will appear in the admin section. That info (file sizes and MD5 sums) would be updated automatically when any files are edited through the built-in editing interface, or when a new theme is activated, or when a new plugin is activated. When the warning bar comes up, the admin would have the option allow the changes (for ex. if they changed the files and uploaded via FTP), or temporarily disable the site until the problem can be fixed.

    Just a thought. I’ve used this method with some success, but since no one tried to hack the thing (or at least succeeded to the point of me noticing it), I couldn’t say if it’s particularly viable.

    Might be doable as a plugin though…

  7. We found some of that spam in his templates. I thought it was just because he’d been running 1.5.2 until the 8th or 9th of October, when I upgraded his site to 2.0.4 But the rise of those old posts (with spam) to the top in FeedBurner along with the internal Pingbacks has me curious. I’ll be investigating.

  8. I also had something similar on my blog a few weeks ago just after moving to my old site. Caused I’m afraid by having my installation on far poor permission settings and poor password choice. All my php files had been hacked and one line of code had been added. I only noticed because the load time for the admin got so long I looked at view-source and saw a line of code I didn’t recognise. Took hours to repair the damage and now I make all changes on my local machine before uploading! Probably over the top protection wise but not sure how else to go as a novice!

  9. The easiest way to stop this type of thing from happening would be to set up a captcha that activates on wp-login.php after a couple of bad passwords. If they fail the captcha more than twice, you could 403 the domain in mod_rewrite.

  10. I had once a similar problem and discovered it, because I am using subversion (SVN) to manage the source code modifications of my blog.
    Subversion is a version management system and allows to monitor code (and any other files) for changes / sync between local and remote web servers and very easily undo any changes done to the blog source code.
    And of course it is free and open source!

  11. The spam has been purged, and we’ve changed all passwords and closed off several potential modes of entry (old unused WP installs, etc). The unauthorized access was first gained before the 2.0.4 upgrade, and I’m fairly certain that any subsequent access was a result of the earlier access (i.e. the password was already bruteforced). So, no need for panic (unless you’re running an old version of WordPress or you have a weak password… in that case, fix it!)

    Only 54 posts had been modified, as far as I could tell, so thankfully cleanup didn’t take that long. Two preg_replace() calls on the affected posts did the trick.

  12. I’m running v2 and having the same problem. Seems I’m not the only one either:

    I noticed it when it’d happened to Eric and did look around at the time in case there was a WP security hole that needed a patch, but didn’t find anything. It’s only happened to one entry of mine as well, which seems strange — restraint isn’t normally a spammer characteristic…

  13. Assuming it was a brute force style attack and it wasn’t a phpBB breach, the other simple thing to do would be to enforce a minimum level of password strength. Enforcing minimum of 8 characters, with at least one uppercase and at least one numeric would make brute force considerably harder.

  14. If this was on a shared hosting plan, chances are that this wasn’t even Navi nor WordPress’ fault. It could just as easily been some other random piece of software on the same plan that was compromised and as long as the files were writable it could have inserted the spam links in all files if it wanted to.

    The joys of shared hosting packages and ISPs not running services jailed…

  15. I had this happen over the past year some time – they hacked in and the code caused my template to be off center just by a pixel or two – I couldn’t find the source for the longest time.

    I ended up modifying my template, but it was still out of whack in IE until I recently went into my header.php and found the spam links in there.

    I was running 2.0 at the time, I believe, so it’s not just the 1.5 users seeing this happen.

  16. This is really bad in the sense that a lot of RSS readers run HTML as trusted, local content. So this would be a way to deliver some nasty payloads from a trusted source.

  17. I wonder what security measures the average Blog has taken, I think one easy step to increase security is to alter any login links to pass over the host’s Shared SSL Certificate.That way login names and passwords won’t be sent un encrypted, anybody spying on the sites traffic will harvest nothing.

    It’s nothing new but I hope these simple precautions will help somebody and flush out a lot of the spammer.

  18. I’m glad to see things are cleared up now.

    Let this be a warning to everyone! Make absolutely certain your blog is as secure as you can reasonably make it.

    Spammers are the scum of the earth. Well, one of them

  19. I alsp get a lot of spam comments in my blog. But I use Statcounter to check my site and I sometime find that the spam links actually help some people to find my site. Evenif it is by mistake. Perhaps they are searching for the name of the company and they add another keyword that is in my blog. And guess what now my blog comes up first in their search…

  20. I’m seeing people do this to wiki’s too……. Some of the wiki’s support a raw HTML extension (trac for example) and the page will look normal until you edit the source to see a bunch of raw links at the bottom of the page.

    I wonder if there needs to be a rel=”spam” microformat for telling Google you think someone has been spamming you. Either that or a ping service where you can send them link spam.

  21. If more people would aim at hacking the spammers and spamming the spammers the world would be a better place. If ever effort to spam someone’s system or hack an account resulted in a total loss of data for the culprit they would stop doing it.

    Fight fire with fire… stop the bums in their tracks by using their own tricks.