Has anyone smeared honey all over my site while I wasn’t looking? Once again I find out the Division by Zer0 has been compromised and spam links are being inserted invisible into my content. And that’s only 10 days after the last time. Argh!
This time I didn’t discover it through a google search but rather when someone from NoState.com contacted me through IM to let me know. This time the spam links were not hidden from the normal source but rather simply invisible in the normal page. This at least makes them much easier to find out and know when you’ve removed them. Nevertheless, this always feels like a very nasty violation every time it happens.
However the exploit was better hidden this time. It wasn’t just a few files hidden in my subdirectories but rather code inserted in my actual wordpress and theme files. This seemed to have been done through some kind of xss exploit but I have no idea how it managed it as I’m running the lastest WP version. Fortunately Adrian was good enough to point out a wordpress support thread for my exact issue which helped me locate and rip out the source of the spam quickly. This is why it pays to microblog your aggravation I guess
Btw, I also noticed that the previous malicious cache.php file had reappeared in my wp-content folder. This time I saved a copy before deleting it and now you can all see what kind of crap they put in your server. Notice the quite humorous note telling you that “modified republishing is restricted”. Or what? Are they going to take you to court?
At least this later crack forced me to finally go ahead and lockdown my site even more. Now the site root, wp-content and my theme directory are read-only from my user as well. Let’s hope this doesn’t create any issues. Unfortunately I cannot make the plugin directory read only as very often they need to write in there as well but I don’t think this was done through a plugin so I think I’m good.I’ve also finally changed the prefix for all my database tables to avoid any zero-day exploits which I’ve been meaning to do for a while.
I also tried to install one logging plugin I saw mentioned in the wordpress forum but unfortunately it didn’t work for me. What would be really great however is a way to monitor all your site files for changes and whenever any file is modified or added, an email would be dispatched to the admin. Sure, you might get notifications for when you upload a new plugin or add new images through wordpress’ builtin function but you could easily ignore those. But when you see a change in your index.php that you didn’t initiate, then certainly something needs to be checked.
On a more positive note, I’ve gone ahead and integrated with Google’s Friend Connect. You can probably see it already on my sidebar where you can add yourself as a “member” of the site, whatever that is. I used to have Facebook but that requires you to add a FB application which not everyone cares to do. Everyone and their mother has a a google account by now however so hopefully this may give me a better idea of how many people like the site enough to register themselves.
But I swear, if I get compromised again, I’m going for a complete wipe and reinstall. It can only mean that I’ve got a trojan that won’t stop making my life difficult.