Recent Spam Links

03 Jun 2014 | Makyo

[adjective][species] was compromised last night through a template loader bug in WordPress.  The only effect that we have seen from the compromise was that spam links were injected at the top of the page, visible only to users on certain IP ranges (notably Google; the goal being to boost spam sites' popularity in the search engine).  This appears to have been an automated attack on several WordPress sites on our host, and no data has been compromised, however, this should serve as a reminder to practice Safe Password!

If you run WordPress and find yourself in a similar situation, here are the steps required to clean it up:

  1. Search for the exploit in your installation.  It looks like this at the top of your template's index.php file.  If you have access to the command line, you can check for it with the following command:
    find . -name *.php -exec grep -q "mx_start" {}\; -print
  2. Clean the files by removing the block.  If you'd like to automate the process, here is a python snippet for doing so:
    import re
    import sys
    
    f = open(sys.argv[1], 'r')
    text = f.read()
    f.close()
    
    pattern = re.compile(r'<\?php /\*mx_start.*mx_orig_end\*/ \?>', re.MULTILINE|re.DOTALL)
    print pattern.sub('', text)
    

    Run it automatically by saving it as demx.py, and using bash like so:
    for i in `find . -name *.php -exec grep -q "mx_start" {} \; -print`; do python demx.py $i > $i.demx; mv $i.demx $i; done</li> </ol>