Die Spammers

Do you have your own blog?  Is it full of spam?  Are you sure?

A while back a friend of mine asked me a question about her blog.  Everything looked normal in every newsreader except for Google Reader.  In Google Reader every post appeared to be nothing but pharmacy spam.

I looked for the spam in view source, I downloaded the feed and checked it, I even crawled through the PHP code looking for a clue.  Everything looked perfectly normal.  It wasn’t until I started digging through the database, that I discovered what was happening.

Somehow, the spammers replaced two plugins on her site with their own malicious plugins.  These new plugins changed the contents of each post based on the referrer.  That’s why spam only showed up when viewed by Google.

The clue was in the “wp_options” table in a field called “active_plugins”.  I noticed a couple of plugins that started with a dot.  For example, instead of “akismet/akismet.php”, the name was more like “akismet/.akismet.php”.

In Unix, file names that begin with a dot are hidden by default.  The initial dot is so subtle that most people won’t even notice it in the database.  Especially since there’s lots of other information in that field.

Discovery

Here’s a simple way to check your site for this kind of spam.  You can restrict a Google search to a single site by adding “site:domain” to your query.  For example, to search for the word Vaigra on my site try something like this:

viaghra site:anthonylewis.com

This should only show one result for my site – this page.   Put your domain name in place of “anthonylewis.com” to see the results for your site.  If you get lots of results, then you have a problem.

Removal

The first thing I did to remove the spam was change all of her passwords – WordPress, Database, and FTP.  We used much more secure passwords.  I have another post in the works that addresses secure passwords.

Next, I made sure she was running the latest version of WordPress.  Updating WordPress is getting easier all the time.  It’s always been a simple 2-3 step process, but now it’s almost automatic.

Finally, I removed the plugin files with the initial dots and cleared the “option_value” from the database for “active_plugins”.  This disables all of the plugins.  Don’t forget to enable the ones you really need.

Aftermath

Unfortunately, the spam on her site still shows up in Google’s cache.  It’s been over a week now.  I’m not sure how long Google keeps pages in their cache, but this should go away soon.

One option I would recommend if you’re having a problem with stale data in Google’s cache is the Google XML Sitemaps plugin.  This plugin maintains an XML file that lets Google know where to find things on your site and when they were last updated.

Help

Let me know if you’re having this problem.  I have a lot of experience working with WordPress and I would love to help you out.  Leave a comment below or click the Contact link at the top of the page if you’re shy.

I provide advice and guidance for free.  If you’d rather I log on to your site and completely remove this mess, I’ll do that for a small fee.

3 thoughts on “Die Spammers”

  1. Now this is interesting – in the few hours since this post was published it has already received 3 spam comments and 1 spam trackback.

    Apparently spammers like posts that talk about spam.

  2. I went looking for the aforementioned plugin and it says I need to create files and make them writable via CHMOD 666. Do you do that using command line?

    http://wordpress.org/extend/plugins/google-sitemap-generator/installation/

    Also I notice that when I go to my WordPress dashboard I get a message that tells me I need to update WordPress but am I correct in assuming that my host needs to do that or should I just click it and follow instructions?

    “WordPress 2.8.1 is available! Please update now.” with please update now being a clickable link.

    you know me – answers just always lead to more questions 🙂

  3. I can help you install the plugin if you want. Catch me on chat sometime.

    As for the update. You can do that yourself. Just click “Update Now”, then choose the automatic update.

Comments are closed.