Lately, one of the contact forms on a Web site I run has started to get hammered with spam form submissions. The spam submissions appear to be able to defeat common CAPTCHA programs (those things that won’t send a Web form unless you type a blurry, wiggly word to show that you’re a person, the idea being that a computer has trouble reading the word).
Interestingly, these spam submissions seem to go to sites that are just fine; ordinary, everyday sites, most but not all running WordPress, with no spam in sight. The majority of the sites that aren’t running WordPress are, naturally, running Joomla.
Of course, being the suspicious bastard I am, I immediately suspected a subtle attack like the one I talked about in October of 2010, where modifications were made to the main WordPress loop PHP file that would serve up ordinary blog posts to ordinary visitors and serve up redirectors to spam if the visitor was a search engine or if the visitor came from a search engine.
And sure enough, a quick Google search showed I was right.
Here is one of the spam submissions I received on my contact form:
Where do you come from? <a href=”
http://www.construction-accident.us“>cheap stendra</a> helpings of Peninahâs food are hard to resist. Peninah also runs the store in the Miti House 2. This is a major
If you visit the site
Ah, but now let’s see what Google sees!
The site has been hacked and the main WordPress loop has been tampered with. When Google looks at the page, keywords advertising prescription drugs are inserted into the page’s code.
If you click on the link in Google, you’re sent to
I downloaded the page using wget (a terminal-based Web downloader) and looked at the file that was downloaded. Whenever the hacked site sees Google as the referrer, it modifies the page by adding pharmacy keywords to the Title tag:
<title>Buy Stendra Online | Construction Accident|Oil Rig Explosion|Dallas|Texas|Gulf Mexico|Construction Accident Lawyer|Construction Accident Lawyers|Construction Accident Attorney|Construction Accident Attorneys|Construction Accident Law Firm|Construction Accident Law Firms</title>
and then it inserts the following code after the WordPress header:
</br><p>stendra for sale</p>
</br><p>stendra side effects</p>
</br><p>stendra vs viagra</p>
</br><p>buy generic stendra</p>
</br><p>where can i buy stendra</p></br>
<p>cheap stendra</p></br><p>order stendra</p></br>
<p>stendra price</p></br><p>stendra cost</p></br><
p>stendra cost per pill</p></br><p>stendra coupon</p></br>
<p>stendra order</p></br><p>stendra online</p></br>
You can see this if you do a Google search for
and then look at the cached version of the first hit.
So that’s how the attack works. WordPress sites are hacked. The WordPress files are modified so that ordinary users and the site’s owner are not aware that anything is wrong. The site continues to look and work as normal.
But oh, people who find your site by using Google? They see ads for fake pharmaceuticals! If they visit your site from Google, they get redirected to God knows where.
There are a lot of sites that have been hacked this way. I’m getting buried under a blizzard of spam Web form submissions advertising WordPress sites that have been hacked.
A partial list from the last few days includes:
Once again, if you are running a WordPress or Joomla site, it is absolutely essential that you keep on top of all security patches PROMPTLY and that you use very strong admin passwords.
With this hack, it’s likely that you could be hacked and never even know it–at least until Google starts flagging your site with a “This site may be compromised” tag.