epharma and adult sites are hacking the internet and its worldwide using hidden div ’s after the footer
Recently some of my blogs began showing a higher risk rating on the security Toolbar. After some chin scratching, I decided to start looking at the code. I could not find anything obvious on the top level files. Then I pulled a HTML raw source code on my blog by right clicking and using the application View Page Source on FireFox or View Source on IE. Right after the FOOTER in the source I found about 1000 links to a few dot coms: mattworkman, weddingsatwork, reclaiminghistory, pop77, internetmarketingtowomenblog, which have probably been hacked. I will give them the benefit of the doubt and say they must have been hacked as I was. The difference being that these sites have hundreds of blog pages dedicated to e-pharmacy sites. The pages have head statements that look like this:
internetmarketingtowomenblog dot com/?p=34409
!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//ENâ€>
html dir=â€ltrâ€>
head>
meta http-equiv=â€Content-Type†content=â€text/html; charset=UTF-8″ />
title>bromazepam vs valium dose. Special For you! bromazepam vs valium dose.
meta http-equiv=â€Content-Type†content=â€text/html; charset=ISO-8859-1″ />
meta http-equiv=â€Content-Language†content=â€en-us†/>
meta name=â€keywords†content=â€bromazepam vs valium doseâ€/>
meta name=â€description†content=â€Save your money. bromazepam vs valium dose - Only FREE delivery! bromazepam vs valium dose - Best Quality only here! bromazepam vs valium dose - Cheapest Drugstore Online! bromazepam vs valium dose. Click here! bromazepam vs valium dose.â€/>
Iink rel=â€pingback†href=â€http://wordpress.com/xmlrpc.php†/>
style>BODY {overflow:hidden; margin:0px;padding:0px;}
iframe border=0 width=â€100%†height=â€100%†src=â€http://tablets-city.com/search.php?qq=bromazepam+vs+valium+doseâ€>iframe>
The copyright footer says:
Powered by a href=â€htp://tabletochka.com/†target=â€tabletochka†class=â€copyrightâ€>Tabletochka.com © 2001, 2005 phpBB Group Group
mattworkman dot com/blog/page.php?p=910715
head>
meta http-equiv=â€Content-Type†content=â€text/html; charset=UTF-8″ />
title>USA Drugstore - online phentermine forum - Best prices
meta http-equiv=â€Content-Type†content=â€text/html; charset=ISO-8859-1″ />
meta http-equiv=â€Content-Language†content=â€en-us†/>
meta name=â€keywords†content=â€online phentermine forumâ€/>
meta name=â€description†content=â€USA Drugstore - online phentermine forum - Best pricesâ€/>
link rel=â€pingback†href=â€http://wordpress.com/xmlrpc.php†/>
style>BODY {overflow:hidden; margin:0px;padding:0px;}/style>
iframe border=0 width=â€100%†height=â€100%†src=â€http://www.topmeds10.com/search.php?aid=55551&q=online+phentermine+forumâ€>/iframe>
The copyright footer says:
Powered by a href=â€htp://tabletochka.com/†target=â€tabletochka†class=â€copyrightâ€>Tabletochka.com © 2001, 2005 phpBB Group
WeddingsAtWork dot com
I believe this is a wordpress site
title>WeddingsAtWork.com - The online wedding guide on Filipino kasal / kasalan.
link rel=â€stylesheet†href=â€http://www.weddingsatwork.com/2008beta/wp-content/themes/WeddingsAtWork2/style.css†type=â€text/css†media=â€screen†/>
link rel=â€alternate†type=â€application/rss+xml†title=â€WeddingsAtWork.com - The online wedding guide on Filipino kasal / kasalan. RSS Feed†href=â€http://www.weddingsatwork.com/index.php/feed/†/>
link rel=â€pingback†href=â€http://www.weddingsatwork.com/2008beta/xmlrpc.php†/>
All three of these sites have been compromised and if you follow the links in the source code on each site you will spend the rest of your life opening sites that have been hacked with pages that iframe to epharma such as tablets-city dot com or topmeds10 dot com
At this time I am leaning towards xmlrpc.php as the exploit. This is just a guess since I do not understand how they could be logging into the admin area without having my passwords. In WordPress the footer can be changed from admin. The HTML is actually being written directly into the wp-content/themes/*** your-template *** which is a cool trick on my site considering that all the folders are protected from direct http access.
In WordPress you can edit site content by typing in:
http://www.yourdomain.com/wp-admin/templates.php?file=wp-content/themes/yourtemplate/footer.php
Usually you have to be logged in as an administrator to do this.
The truth is I am not much of a BLUE HAT when it comes to exploiting search engines. I believe it is survival of the fittest. What these hackers are doing is actually stealing bandwidth and causing sites to be delisted and marked as security risks. That crosses the line. I am putting a call out to responsible hackers and wordpress experts to help in closing the expliot. Use the comment field and leave a few links I will allow them.
I have updated WordPress from 2.3.1 to 2.6.1 and have added quite a few htaccess files hoping to close the exploit. I will wait and see and report back.
