Hidden spam epidemic among outdated WordPress blogs
Outdated installations of the widely used blogging software WordPress appear to be the target of large scale spam attacks. What the attacks have in common is that the blogs are stuffed with huge numbers of invisible spam links. Blog readers can't usually see this hidden HTML spam, but search engines index it along with the rest of the page. The attacks appear to be aimed primarily at search engine optimisation. The blog search engine Technorati has delisted all WordPress blogs showing symptoms of the spam epidemic. Google has also started sending notifications to bloggers whose blogs link to potentially dangerous web sites as a result of the attacks.
The spam injections may take various forms. In one wave of injections that started in late March, additional spam pages were placed in a newly created subdirectory
wp-content/1. Google now shows more than 40,000 hits for this perfidious path – at the end of March it was just under 4,000.
A further wave, which also apparently hit blogs on ZDNet.com, makes its presence felt with a long list of links at the start of the page which are hidden from readers using the tag
<font style='position:absolute; overflow:hidden; height:0; width:0'>. Individual bloggers are also reporting that various files in their hacked WordPress installations contain an extra IFrame which points to an external website.
The unknown attackers are probably using vulnerabilities including an XMLRPC vulnerability which affected WordPress versions 2.3.2 and earlier. There are also isolated reports from WordPress administrators that the spam problems are continuing after upgrading to a non-vulnerable, current version such as 2.3.3 or 2.5 – apparently due to an inconsistency when updating the WordPress database. One affected user reports that the problem disappears after a forced database update.
Users running a manually installed WordPress blog should switch to a current version immediately and in future keep it up to date. If spam injection has already taken place, it is advisable to backup the WordPress database and then reinstall. Users should then check through the user list for fake accounts in the administration backend and delete them if found.
- Vulnerable WordPress Blogs Not Being Indexed, announcement from Technorati