

SEO SPAM network - Details of a mass attack (many .gov, .com and .edus hacked) - ddbb
http://blog.sucuri.net/2010/05/seo-spam-network-details-of-wp-includes.html

======
neurotech1
Part of the problem is that a lot of security advisories basically say "run
the latest version".

Restricting access with .htaccess is a good idea;
[http://www.themepremium.com/wordpress-security-restrict-
wp-c...](http://www.themepremium.com/wordpress-security-restrict-wp-content-
and-wp-includes-on-wordpress-using-htaccess/)

~~~
snewe
If you fail to upgrade immediately, malware is often installed and remains
after an upgrade. I missed one site by a day and got infected. The default
option to print the WP version in the <head> of each blog would certainly
lower the likelihood of a script finding an outdated site. Unfortunately once
hacked, truly cleaning the site requires

1\. Backing up theme, making list of plugins installed 2\. Inspecting theme
for any hacks. (difficult if you wrote your own) 3\. Deleting _all_ files 4\.
Walking through the wp_options table for any leftover holes (very difficult)
5\. Re-install WP 6\. Re-install theme and plugins.

The WP team needs to work in something like you linked to into the core.

~~~
neurotech1
I'm actively reviewing WordPress 3.0 beta for upgrade and plug-ins. Once I've
got the .htaccess fix working in 3.0 beta I'll post the patch.

There are a few ideas I'm considering for securing and monitoring WP
installations for intrusions.

------
vaksel
i got hacked by something almost exactly like this like 3 months ago. They
uploaded a folder called .files with about 2K html files there to each of my
folders.

Probably a few million crap files all together. Was a huge pain in the ass to
clear all that crap out. After that point I killed all wordpress installs,
since it has such a huge target on it's back.

~~~
sucuri2
This .files attack was common too. We posted about it a while ago:

[http://blog.sucuri.net/2010/05/it-is-not-over-seo-spam-on-
si...](http://blog.sucuri.net/2010/05/it-is-not-over-seo-spam-on-sites.html)

~~~
vaksel
btw your blogsite is very scammy looking.

I got a message from my host with a link to your site, where you instructed to
download and install a file...and I was 100% sure that it was just just a
scam, where you sent out spam messages pretending to be hosts, with a link to
the blog post where you were asking me to download malware.

In fact I was in the process of contacting customer support of my host, when I
noticed the letter I got in recent history.

You should really spend a little time making it look more legitimate,

~~~
sucuri2
You lost me there. We never sent messages to anyone to download and install
files. Can you forward the email to me (dd at sucuri.net)?

*but I agree, we really need some improvements on our design.

~~~
vaksel
what I meant was that I got a letter from my host telling me I got hacked(a
week or so after I fixed everything)...and they linked to your site.

But after hitting your site, I got the impression that it was just a scam site
trying to get me to install some malware.

~~~
sucuri2
Oh, sorry about that. I misunderstood it.

But it is nice to see hosting companies linking to us :) I am still looking
for a designer to work on our blog/site.

~~~
aarongough
Shameless promotional plug: <http://waldendesign.com/>

I work for them 2 days per week, I'm sure we'll be able to help you if you're
interested.

------
AndrewWarner
Anyone know anything about sucuri.net? Reputable?

~~~
sucuri2
Yes, we are reputable :)

~~~
AndrewWarner
Thanks for all those emails!

A few hours ago I didn't know if you were legit. Now I see how considerate you
are.

So glad I met you on HN.

------
pyre
I'm failing to see any mention of a .gov domain in the article.

~~~
sucuri2
Just do the suggested searches at the bottom of it:

[http://www.google.ca/#hl=en&q=inurl%3A%2Fwp-
includes%2F+...](http://www.google.ca/#hl=en&q=inurl%3A%2Fwp-
includes%2F+%22viagra%22++inurl%3A.gov&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=a9f1b4a1f96dfa78)

------
maukdaddy
_badminton.mit.edu_

Oh god no! Don't let it be true!

