About a week ago, I decided to look at the HTML source of my blog. I was in total shock to find a spam link hidden there. This is how it looked:
<!-- ocadia theme credits, downloaded from wpthemesfree.com -->
<u id="ocadia" style="display: none">Buy some <a href="http://detoxbuddy.com/categories/191.html">marijuana drug testing</a> products</u>
Ocadia is the name of the theme I’m using, so I guessed the hidden link came from there. I was partially right. The code indeed resided in the index.php file of the theme, but as I later found out, the theme had nothing to do with that. I removed the link and the comment immediately, and went to see if it was distributed this way from Beccary (the author of the theme).
I’ve downloaded the theme again and inspected its files. There was no spam link, and no mention of the WPthemesfree site. I was happy to know that the theme is benign. I remembered I got it directly from the author’s site, and couldn’t remember if I’d ever visited WPthemesfree’s site. I’ve glanced at the code of all the plugins I had installed to see if I could pick out anything suspicious, but nothing came up. Anyhow, I had a lot of things to do that day, so I sort of let things go.
A day later, I decided to look again at the HTML source of the blog, and to my horror, I discovered the link came back. This time I decided to get to the root of the problem and stop this from happening again. I keep a backup of all the original packages for everything I install on the web server, including themes. I looked in the original package I’d downloaded when I installed the Ocadia theme, and it was clean. At this point I was sure the link didn’t come from it. I’ve greped the whole source tree of the blog for wpthemefree and detox, but I came up with nothing.
The next step was to google for the spam link itself. I came up with a number of WordPress blogs that had the same spam message hidden, like my blog had. I’ve checked their installed plugins and themes, and I’ve found out that our blogs didn’t have any plugins or themes in common. This reassured me that the link didn’t come from something I’d installed.
At this point I realized that the spammer used some kind of security vulnerability in the WordPress that I’m using (2.2.2) to inject the code into my theme files. This has much riskier potential, as in the same way they could inject arbitrary PHP code that would be executed by the web server.
I’ve come up with the solution of locking theme files for writing, leaving only read permission. This allows WordPress to use them, but it has the downside of disabling the option to edit them from the dashboard. This turned out to be a good fix, as the link didn’t come back again. Upgrading the WordPress version could also be a good solution (it’s something I think it’s time I should do).
The conclusion from this should be that one should lock all the PHP files that don’t need to be updated for writing and leave them only with read permission. This precaution can also help protect you from other kinds of PHP injections that can happen.
I’ve contacted the authors of some of the blogs I found to be infected with the spam links, and I hope they will solve it too.
10x Guy !!!
These spammers are so borrowing, just like fleas 🙂