About a week ago, I’ve decided to look at the HTML source of my blog. I was in total shock to find a spam link hidden there. This is how it looked:
<!-- ocadia theme credits, downloaded from wpthemesfree.com --> <u id="ocadia" style="display: none">Buy some <a href="http://detoxbuddy.com/categories/191.html">marijuana drug testing</a> products</u>
Ocadia is the name of theme I’m using, so I guessed the hidden link came from there. I was partially right. The code indeed resided in the
index.php file of the theme, but as I later found out, the theme had nothing to do with that. I removed link and the comment immediately, and went to see if the it was distributed this way from Beccary (the author of the theme.
I’ve downloaded the theme again and inspected its files. There was no spam link, and no mention of the WPthemesfree site. I was happy to know that the theme is benign. I remembered I got it directly from the author’s site, and couldn’t remember if I’ve ever visited WPthemesfree’s site. I’ve glanced at the code of all the plugins I had installed to see if I pick anything suspicious, but nothing came up. Anyhow, I had a lot of things to do that day, so I sort of let things go.
A day later, I decided to look again at the HTML source of the blog, and to my horror, I discovered the link came back. This time I’ve decided to get to the root of the problem and stop this from happening again. I keep a backup of all the original packages for everything I install on the web server, including themes. I looked in the original package I’ve downloaded when I installed the Ocadia theme, and it was clean. At this point I was sure the link didn’t came from it. I’ve
greped the whole source-tree of the blog for
wpthemefree and detox, but I came up with nothing.
The next step was to google for the spam link itself. I’ve came up with a number of Wordpres blog, that had the same spam message hidden, like my blog had. I’ve checked their installed plugins and themes, and I’ve found out that our blogs didn’t have any plugins or themes in common. This reassured me that the link didn’t came from something I’ve installed.
At this point I realized that the spammer used some kind of security vulnerability in the WordPress that I’m using (2.2.2) to inject the code to my theme files. This has much riskier potential, as in the same way they code inject arbitrary PHP code that will be executed by the web server.
I’ve came up with the solution to lock theme files for writing, only leaving a read permission. This allows WordPress to use them, but it has the downside of disabling the option to edit them from the dashboard. This turned out to be a good fix, as the link didn’t came back again. Upgrading the WordPress version could also be a good solution (it’s something I think it’s time I should do).
The conclusion from this should be is that one should lock all the PHP files, that don’t need to be updated, for writing and only leave them with read permission. This precaution can also help protect you from other kinds of PHP injections that can happen.
I’ve contacted the authors of some of the blogs I found to be infected with the spam links, and I hope they will solve it too.