Stealth WordPress attack: How to get hacked without even knowing it

Lately, one of the contact forms on a Web site I run has started to get hammered with spam form submissions. The spam submissions appear to be able to defeat common CAPTCHA programs (those things that won’t send a Web form unless you type a blurry, wiggly word to show that you’re a person, the idea being that a computer has trouble reading the word).

Interestingly, these spam submissions seem to go to sites that are just fine; ordinary, everyday sites, most but not all running WordPress, with no spam in sight. The majority of the sites that aren’t running WordPress are, naturally, running Joomla.

Of course, being the suspicious bastard I am, I immediately suspected a subtle attack like the one I talked about in October of 2010, where modifications were made to the main WordPress loop PHP file that would serve up ordinary blog posts to ordinary visitors and serve up redirectors to spam if the visitor was a search engine or if the visitor came from a search engine.

And sure enough, a quick Google search showed I was right.


Here is one of the spam submissions I received on my contact form:

wkgFqTcoAqy

Where do you come from? <a href=” http://www.construction-accident.us “>cheap stendra</a> helpings of Peninah’s food are hard to resist. Peninah also runs the store in the Miti House 2. This is a major

If you visit the site www.construction-accident.us you see a perfectly ordinary WordPress site that appears to have nothing wrong with it.

Ah, but now let’s see what Google sees!

The site has been hacked and the main WordPress loop has been tampered with. When Google looks at the page, keywords advertising prescription drugs are inserted into the page’s code.

If you click on the link in Google, you’re sent to www.construction-accident.us and then promptly redirected back to Google. It seems like the redirection is based at least in part on the browser you are using; when I use Safari on Mac, I end up at Google, but changing my browser’s user agent to Explorer 7 results in no redirection, Explorer 8 and 9 redirect to Google. I haven’t quite figured out the magic combination of browser and platform user agents to see where the hostile redirection leads to.

I downloaded the page using wget (a terminal-based Web downloader) and looked at the file that was downloaded. Whenever the hacked site sees Google as the referrer, it modifies the page by adding pharmacy keywords to the Title tag:

<title>Buy Stendra Online | Construction Accident|Oil Rig Explosion|Dallas|Texas|Gulf Mexico|Construction Accident Lawyer|Construction Accident Lawyers|Construction Accident Attorney|Construction Accident Attorneys|Construction Accident Law Firm|Construction Accident Law Firms</title>

and then it inserts the following code after the WordPress header:

<div class=”post”><p>stendra</p>
</br><p>avanafil</p>
</br><p>stendra for sale</p>
</br><p>stendra (avanafil)</p>
</br><p>stendra side effects</p>
</br><p>stendra dosage</p>
</br><p>stendra vs viagra</p>
</br><p>stendra online</p>
</br><p>buy stendra</p>
</br><p>buy generic stendra</p>
</br><p>generic stendra</p>
</br><p>stendra generic</p>
</br><p>where can i buy stendra</p></br>
<p>cheap stendra</p></br><p>order stendra</p></br>
<p>stendra price</p></br><p>stendra cost</p></br><
p>stendra cost per pill</p></br><p>stendra coupon</p></br>
<p>stendra order</p></br><p>stendra online</p></br>
<p>stendra avanafil</p></div>

You can see this if you do a Google search for

site:www.construction-accident.us

and then look at the cached version of the first hit.


So that’s how the attack works. WordPress sites are hacked. The WordPress files are modified so that ordinary users and the site’s owner are not aware that anything is wrong. The site continues to look and work as normal.

But oh, people who find your site by using Google? They see ads for fake pharmaceuticals! If they visit your site from Google, they get redirected to God knows where.

There are a lot of sites that have been hacked this way. I’m getting buried under a blizzard of spam Web form submissions advertising WordPress sites that have been hacked.

A partial list from the last few days includes:

http://www.thevisualexperience.org (the hack is only visible in Google if you do a search that includes pharmacy keywords; for example:
accutane site:http://www.thevisualexperience.org
http://www.fro2012.com
http://javajitterprint.com
http://www.grouna.com
http://www.nutria.com/ (This one isn’t using WordPress; it’s using a CMS called Website Gadget by an outfit called Firefly Digital, but it looks very WordPress-like. It may be a WordPress derivative or clone.)
http://www.info-kod.si/ (Also not using WordPress)
http://autofinancedfw.com (Also not using WordPress)
http://www.guylaramee.com/ (If visited from Google, redirects to http://www.pharmacymall.net/prozac_generic.php, hosted in the Ukraine)
http://sedrez.com/ (If visited from Google, redirects to http://goldenpharma24x7.com/order-topamax-online.html, hosted in the Ukraine)
http://www.joomx.com/ (a professional Joomla developer’s site–oops!–that has been hacked; if visited from Google, redirects to http://goldenpharma24x7.com/order-topamax-online.html
http://www.fremantlefishingboatharbour.com/ (Running Joomla; if visited from Google, redirects to http://goldenpharma24x7.com/)


Once again, if you are running a WordPress or Joomla site, it is absolutely essential that you keep on top of all security patches PROMPTLY and that you use very strong admin passwords.

With this hack, it’s likely that you could be hacked and never even know it–at least until Google starts flagging your site with a “This site may be compromised” tag.