Changing a few things!

Sorry to confuse everyone, but I’ve been changing some things… please bear with me whilst I move over posts/comments etc from the old blog. I’ll be adding redirects soon.

I decided to move over WordPress from Mango Blog – that may make the more staunch CF developers in the world shudder, but Mango Blog just wasn’t keeping up with the times for me :)

Besides, the right tool for the right job eh?

You actually have to be impressed by Spammers sometimes…

I’ve just been cleaning up the aftermath of an exploited WordPress install. I officially hate wordpress – this particular install had been updated a few mere weeks before, but an exploit had clearly got out for that version, and therefore – havoc.

On going through the files, database, changing all the passwords etc etc, I got to the point where I was actually quite impressed by what this automated attack had done.

Firstly, exploited files were stored in both /wp-content and elsewhere – traditionally, when you ugrade WordPress, you tend to overwrite everything but the wp-content directory, .htaccess file, and wp-config.php file; the wp-content directory stores uploads, so an upgrade to WordPress wouldn’t automatically overwrite the compromised files.

Secondly, everything was Base64 encoded – once you’ve got the hang of what they’re doing, it’s fairly simple to search for “gzinflate(base64_decode” or some such string, but a typical search for ‘Viagra’ or some such spam word will never show in a search of the source code.

Thirdly – and this one is fairly obvious – every output was hidden by inline CSS, either via “display:none;” or “height:0 width:0” etc. so as not to alert the blog owner.

The really clever bit which got me was the fact that browsing via a normal browser wouldn’t make the spam show up. You had to spoof a Googlebot user agent to see the damage (oh, and turn off CSS as well).

When was the last time *you* checked your site for spam? Google this to find out – ‘site:yourdomain viagra’