AKA Marketing.com Logo            VISIT THE BLOG            

Blogged thoughts, is our web blog. Expect views, opinion, rants and tirades about everything and anything 

« Home / Forums »        


Subscribe to our SEO / IT related blog by entering your email address below

Blogged thoughts

| by the www.akamarketing.com team

Using Wordpress? Check the text only version of Google’s cache for hidden spam links

I’m up to my eyes programming another adwords API system at the moment so when I discovered that my Wordpress installation had been hacked, I wanted to strangle someone (ideally the person responsible) because I really didn’t have time for this.

Wordpress hidden spam links hack
The hack didn’t shutdown my blog but it might as well have because it made all my posts unfindable on the major search engines for any of their related keywords (and exact string searches). The hack I fell victim to involves some waste of space making secret changes to Wordpress source files and the Wordpress database enabling him to output a tonne of hidden links on all blog pages via a hidden Wordpress plugin. The links were complete keyword stuffed spam with anchor texts such as ‘viagra’, ‘xanax’ and ‘teeth whitening’ common among them so needless to say the search engines don’t like my blog pages anymore.

What makes this hack hard to detect is that fact that the links only get outputted when a major search engine visits a page from an ‘infected’ Wordpress installation so blog readers will likely not notice until a lot of damage is already done to your Google, MSN and Yahoo rankings. I myself only stumbled upon it earlier today when I seen all the links near the bottom of Googles’s text only cache of my last post about converting to PDF from within PHP so it was by pure chance. The links where present on the regular cache too, however they where contained in a hidden div so could not be seen by anything except the search engines… unless you viewed the page source.

Want to see an example? Well right now there a lots of cached examples on Google of what this hack did to my pages, but I’m hoping they will be gone soon so here’s a copy of the text only cache of http://www.akamarketing.com/blog/109-php-to-pdf-conversion-with-tcpdf.html from today (31st July 2008).

How can I tell if my Wordpress blog has been hit with this?
Easiest thing to do is to just visit Googles text only cache page for a couple of your blog posts (and perhaps your main blog page) and keep an eye out for about 50 spam links towards the end of the page. If you have caching by search engines disabled you can use something like Curl and ‘fake’ your user agent string to appear as if your Google (and then check the page source). I’ve done it already for you though with a iamgoogle.php script, visit http://www.akamarketing.com/iamgoogle.php?url=http://www.akamarketing.com/blog/&google=1 while replacing my URL ‘http://www.akamarketing.com/blog/‘ to the URL of one of your blog pages. When the parameter google is equal to 1 the user agent is ‘Googlebot’, when it’s anything else a regular ‘human’ user agent is used. If your checking your blog main page be sure to add the trailing slash after your blog folder as Wordpress implements a redirect from the non slashed URL version to the slashed URL version so you’ll just get a ‘Moved Permanently’ message without the trailing slash. The code of iamgoogle.php is available for those of us that are ‘into’ PHP.

If I’ve been hit with this hidden link hack how to I get rid of it?
After discovering this hack my first port of call was Google to try and search for some good information. I found three particularly good articles about what this hack is and how to get rid of it so I’ll just point you in the direction of a couple of existing posts if you don’t mind (it’s been a long day) rather than go through how to remove this in detail. The posts below all helped me:

Wordpress exploit giving backlinks, redirects and headaches but no visitors ;)

Wordpress exploit: we been hit by hidden spam link injection

Has Your WordPress Been Hacked Recently?

The above links will fill you in on the complete story but in essence fixing this hack for me involved doing a bit of fiddling with the Wordpress database, deleting some files with strange extensions and upgrading Wordpress from version 2.0.2 to 2.6. On that note I must say hats off to the Wordpress development team, it was pretty much the most pain free web application upgrade I’ve ever be done… (although I did backup everything twice just to be safe). If you already have the latest version of Wordpress I’d still recommend replacing your source code with ‘fresh’ code just in case it’s been edited (which is very likely for this hack).

How can I detect something like this in the future?
After I upgraded Wordpress I was pretty certain that my installation was now clean, however I asked myself how can I detect something like this more quickly (I have a hunch that this hack was ‘active’ since April) in the future if it happens again? I came to the conclusion that I needed some sort of file integrity checker similar to Tripwire to alert me when any of my www space files change. 

Tripwire and many other similiar systems are not usually available on shared hosts but they all essentially take a sha1 (or md5) hash of all watched files, store the hashes and then periodically compare the stored hashes against regenerated ones to check if any files have been edited so writing something custom specific to my needs wouldn’t be that hard to do.

OK that’s enough rambling for today, here’s hoping you have a had a better day than me.

9 Comments on “Using Wordpress? Check the text only version of Google’s cache for hidden spam links”
1| Richard Hearne said,

Just one small footnote - some of these scripts do a reverse-lookup to display the links only to verified Googlebots, so just changing the UA wont always identify the links.

Sorry to hear you were hit. What Version of WP were you running?


2| David Callan said,

Hi Richard, was using Wordpress 2.0.2. Thanks for the note about the reverse-lookup. I’m going to has to sort something out to check my files aren’t edited in the future.

I’m just after finding another one of the executables associated with this in a non blog folder, so it seems any directory that is writable may be used to conduct this hack. I don’t have ssh access with Blacknight so will have to get them to run some fancy find command to get all these buggers once and for all.

By the way do you think I should contact Google and explain why all my blog pages had spam links in them or will time do the trick? I didn’t get any notices via webmaster central.

3| Richard Hearne said,

It can do no harm - file a reconisderation request. State what you found, and what you’ve done to clean it up.

I’d also upgrade to the latest WP - actually much better to use IMO. Lots of changes, so it may take a little while for you to get used to it.


4| David Callan said,

Upgrade to 2.6 already done as part of the process yesterday. Nice backend interface on it. I enabled gears on it too, so all the JS, CSS, Images etc. are stored on my machine so everything loads super quick.

5| How To Combat SQL Injection Attacks on Wordpress said,

[...] article is there one that explains what is going on with the latest SQL Injection attacks and how to combat them.  Keeping your wordpress version updated is a good start. But he also [...]

6| rob said,

In terms of catching similar in future, you could also set up a google alert http://www.domain.com viagra

7| David Callan said,

Hi Rob, excellent suggestion, never thought of that.

8| Coyote Mercury » Hacked Off said,

[...] idea how to do these things so big shout-outs to: BlogBuildingU.com, WordPress Philippines, Marketing.com, Ms. Adventures in Italy, and especially to Get Rich Slowly for their detailed instructions on [...]

9| Jeffrey Smith said,

Man that was evil, fortunately you had the where with all to dissect the attempt, but like you said, the damage was already done. Thanks for providing the tips to prevent future attempts to exploit wordpress. It is our favorite CMS system, I just hate to see it vulnerable like that due to its popularity as a blogging platform.

Take care David

Leave a Comment
12 Lorcan Crescent, Santry, Dublin 9, Ireland +353 87 9807629