Click to enlarge (ha!).

Anyone else seeing Viagra spam being inserted into SEB posts?

A user contacted me through ***Dave to let me know he was seeing extra content in SEB entries that didn’t look like it belonged there. He sent along a screenshot and a copy of the HTML source and, yep, there appeared to be extra paragraphs with spam links being inserted among the other text.

Here’s the screenshot:

Click to enlarge (ha!).

Awhile back there was some WP hacks going around (mainly through compromised plugins) that would insert hidden spam into a template that only showed up when you did a Google search for the blog in question, but otherwise didn’t show on the live site itself. This, however, appears to be something totally new.

I’ve checked SEB pretty thoroughly and it doesn’t appear to be anything generated here. The reader who reported the problem has since followed up saying that it only happens on his work laptop and not his personal machines at home. ***Dave also verifies that he doesn’t see it on any of his machines. I check SEB on a number of different PCs and smartphones regularly and I’ve never seen this happen so I’m assuming it must be something on the user’s laptop, but he says it only happens when he views SEB which seems oddly specific.

I can’t find anything on Google that seems to match this odd situation so I’m turning to you guys to see if anyone else has experienced this with SEB or something similar with some other site. Anyone else seeing this happen or know anything about a possible hack or virus that could cause it? Let us know in the comments.

17 comments

  1. Might be something on his machine doing the injection: but it’s worth installing the WordPress plugins “Exploit Scanner” and “WordPress Firewall” if you haven’t already.

  2. I’ll give those plugins a shot, but poking through the template code myself I’ve not seen anything that suggests SEB’s been compromised. Still, never hurts to double check.

  3. So I’ve run the Exploit Scanner and it reported a shitload of possible problems all of which appears to be legit usages of things such as base64_decode and _eval commands and CSS display variables. Nothing that appeared to be coming from unknown plugins or added template code. 36 “severe” matches, 221 “warning” mathes, and 107 “note” matches. A lot of the warnings were due to my posting YouTube videos that make use of iframes.

    There was so much noise in the results that it’s hard to say if you could see a problem if one actually existed.

  4. Yeah, I’d been getting them. I thought it was my computer, but I recently reinstalled my OS onto a new drive, and after reinstalling Firefox and speed dial, my speed dial tab saved the page with a bunch of links to spam.

    For some reason it was stuck on Jesus Fucking Christ, We’re on the Moon, and would only display the first comment.

    I’ll email you my speed dial screenshot, if you think it will help, but it’s pretty similar to that image up there: The actual post with the formatting all screwed up and advertisements inserted.

    Whatever it was, it isn’t doing it now.

  5. @ Les:
    If you want to email me the output of the Exploit Scanner logs, I’ll take a look for you (becoming a little bit of an expert in it). Sometimes the scripts are hidden in things like wp-config.php , index.php or just not where you expect.

  6. Thanks to the help of Richy it appears we have found the malware in question. Hiding in plain sight as a wp-sitemap.php file, which isn’t part of the core application, it was making files in the upload directory under thumb-temp which didn’t have anything other than PHP files in it. Many of which were double base64 encoded. I’ve deleted all of the files and the directory itself and we’ll see what happens.

  7. Checked this morning and the wp-sitemap.php file was back so I removed it again, though I couldn’t find the subdirectory that it had created previously. Also redownloaded and installed WordPress itself in case any of the core files had been compromised.

  8. I had a similar problem a while back, where a plugin got updated with a hacked version. It kept putting a file into my WP install and causing some major problems that allowed someone to remotely log into my site and create new administrator level users.

    Each time I would delete the file, it would come back in an hour or two. I eventually solved the problem by deactivating all of my plugins, renaming the plugins folder, and creating a new one. The problem stopped. So I then downloaded fresh copies of the plugins and installed them and then deleted the old folder.

  9. Les, my suggestion:

    As soon as you have a clean install, grab a copy of your files and check them into a version control system as a baseline. Then regularly download current copies and check them in and review the change log. Any unexpected changes should stick out like a sore thumb and even if an intentionally updated plugin has turned funky, you can at least home in quickly on the likely culprits.

    It shouldn’t hurt to get in touch with your host, either. It’s always better to convey to a host that you’re part of the solution and not the problem, and who knows, there might be a broader compromise.

  10. if you’re still having problems, ensure you’ve removed all plugins you are not using (don’t just deactivate them, remove them), make sure there are no admin accounts you have not set up (have you changed the admin username? http://www.neilturner.me.uk/2012/08/02/nasty-people-trying-access-your-wordpress-blog.html ), change your password (and FTP password: I have some some exploits be via viruses which have gathered Filezilla FTP passwords) and make sure all plugins are up to date

  11. Just had the wp-sitemap.php file show up again. This time the hook for it was in index.php and not wp-config.php. I’ve deleted all themes and all plugins and did a reinstall of the latest version of WordPress. Not sure where it was storing the temp files this time as it wasn’t in the same place as last time. Changed my passwords, again, and the default admin user hasn’t been admin in a very long time.

  12. Les, did you change all your hosting passwords, not just the WP ones? If you still get hacked with nothing but a default install of an up-to-date version of WP, it’s time to involve your host. You probably don’t have access to all the logs and tools to track this down.

  13. I am having the same problem. I was notified by a subscriber that he was seeing viagra other medical links on our site posts. I could not see the links. I did a search on google with one of our titles and the word viagra and it appears google has indexed it with the links. You can actually see the links if you look at google cached page. Have you solved the problem and what plugin have you installed what this started to show up?

  14. I had this problem occur today. I found the problem –> it was a file in my root directory called wp-sitemap.php. My wp-config.php file had an include statement requiring the file.

    Still dont know how they got in and what not but it should solve the problem.

    Let me know if you need help solving this.

Leave a Reply