Goddamnit! Someone, managed somehow to insert malicious php scripts into the site which were injecting invisible spam links to my content. Even more insidiously, those links were not injected to the html source of the page unless the browser user agent reported that it was a googlebot, making them all but impossible to see with a normal browser.
I was lucky to notice this because in the Google Webmaster tools I still had my site address added as www.dbzer0.com which was wrong as I’m not using the www. part anymore. Fortunately however, this allowed the site stats to show the keywords in the content instead of simply how people are linking to it, which made all the spam stand out.
When I saw that my fist action was to do a search just to see if I was possibly looking at outdated data. Unfortunately, the results were not uplifting.
This was not good. Looking at the cached copies of these pages, it was obvious that these links existed at least since the start of February which means that whatever is causing this, was added after my upgrade to WP2.7 or managed to remain active after it. The source code for the googlebot looked like this, when it should have been looking like this. The links were apparently pointing to redirection scripts in a cracked Movable Type based blog. I’ve fired an email to the author to advise him to take the site down but have heard nothing from him yet.
Take note people: If you’re not going to keep your site updated and patched, either take it down, or export it into pure html and let that stand. Don’t let your obsolete php and mysql setup running as that just invites people to turn your old site into a spam haven.
At this point I started looking around the interwebs in a bit of a panic as hate this kind of shit being associated with me. I couldn’t find anything exactly like what I had unfortunately. The only thing coming close that I found was this post which at least gave me some ideas on where to look.
I was able to discover 2 malicious php scripts residing in my wp-content folder. One was called cache.php and was on directy under /wp-content/ while the other was in the /wp-content/uploads and had a weirder name (can’t remember now). I summarily deleted them (although in retrospect I should have probably saved them for all of you to see) but I did notice the ironic comment inside, warning people not to copy them and pass them around.
I couldn’t find anything else after that but I was still not certain I was rid of the spam. A quick look through the google bot’s eyes showed me that the page didn’t return any spam results but that could also be because the script doing it is smart enough to recognise fake google agents. The only real way to find out if this still happens is to wait until Google indexes one of the spammed posts again and see if the spam links still appear.
As a precautionary measure, I also changed my WP password (as unlikely as it is that it would have been cracked through brute force) and looked around for anything that can help me discover such stuff in the future. I did find a plugin that looks very promising in this regard but unfortunately due to the way it asks for RAM and the setup of my host’s php, I can’t allocate enough memory for it to run. A last precaution was to add a search alert for these keywords appearing on my site which will, if I get cracked in the future again, give me notice within a few days.
On a more positive note, hopefully by removing these huge-ass scripts (many hundreds of line of code each) perhaps the load on my server will be reduced as well. But I’d be happy even if I simply see these keywords disappear from the Webmaster tools soon.