hacked – Climb to the Stars

Google Alerts Trick to Monitor Website Health [fr]

[en] Un petit truc pour être alertée immédiatement si mon site recommence à servir à Google des pages truffées de mots-clés pharmaceutiques: une Alerte Google qui cherche ces mots-clés uniquement sur mon site. Fûté, non?

As you can guess, I’m now a little paranoid about getting hacked and having my blog pages stuffed with pharma keywords for the benefit of search engines. I’m keeping a close eye on my site now, but logging into Google Webmaster Central each day to “Fetch as Googlebot” gets old quickly.

So I had a bright idea I’m pretty proud of and want to share with you.

I simply set up a Google Alert for spammy pharma keywords on my site, like this:

site:climbtothestars.org keyword1 OR keyword2 OR keyword3

Given I don’t blog about those meds (or any pharma-related stuff, actually), any alert that shows up will be a sign that Googlebot has been served spammy content from my site, which should not happen as it is now supposed to be clean. And if it does, I will know about it immediately (you can easily set alert frequency for your alert in Google Alerts).

New, Shiny, and Hopefully Spam-Free Server [en]

[fr] Nouveau serveur. Sans spam, avec un peu de chance.

I’ve spent the last two weeks in a kind of blog-limbo. After thinking I had rooted out my spammers, I had the bad surprise to find my pages spam-riddled again a few days later (after having proudly demonstrated to my SAWI students the consequences of being hacked). Long story short, we found a cute little remote shell in PHP and removed it from the server, discovered that PhpMyAdmin was compromised (I know, no rude comments please), but had a hard time finding out exactly where the spam itself was hidden (all the obvious stuff listed in various “get rid of pharma hack” and “what to do when your WordPress install gets hacked” blog posts yielded nothing).

This whole “being hacked” thing was starting to feel unpleasantly like a flea infestation: you think you’re rid of them, but here they are again!

After many hours of digging, we decided it was not worth losing more time as a server move was in the works anyway. If you’re reading this post, you’re accessing Climb to the Stars from the shiny new spam-free server, yay! Needless to say security has been tightened up and we will be monitoring it closely for any suspicious activity.

Expect normal blogging to resume at some point.

On Being Hacked [en]

[fr] Hackée, et voilà, moi qui savais justement pas quoi faire de mon beau dimanche après-midi ensoleillé...

I’m currently battling with a hacked WordPress installation. You won’t see anything if you view source, but Google unfortunately sees a whole lot of spam right at the top of each of my pages.

Here’s some information in the hope somebody may have a bright idea to help me root out the hack.

I’m running 3.0.3 and would like to find the source of the problem before upgrading to 3.04 (bad idea?)
I’ve tried disabling all plugins, and the problem is still there when I do that.
I’m using the vanilla default Twenty-Ten theme
I’ve looked in the theme header (header.php) for anything obvious, and also in wp-content, wp-plugins, etc. for anything that looked out of place to my eyes
I’ve run greps for base64 (anything here look suspicious?), spammy keywords, and other things I could think of
It does not seem to be this pharma hack (have failed at finding any signs of it following the instructions there — wp_option keys, backdoor files…)
I have searched my database for spammy keywords (also backwards) and haven’t found any aside in spam comments caught in Akismet

I will update this post as I find out more. Thanks for your suggestions.

Update: at least a partial solution… running find . -iname *.php -print0 |xargs -0 grep base64 allowed us to identify a problem in l10n.php, which was promptly replaced by a new version (evil version available on request). One of my pages as viewed by Googlebot now looks like this. So, the site is cleaner, but are there any backdoors left?

Google Webmaster Central is definitely a place to visit regularly — I would have spotted this way sooner if I had, rather than wondering what was wrong with my robots.txt file when I stopped being able to “direct Google” my posts. View more scary screenshots.

Tag: hacked

Google Alerts Trick to Monitor Website Health [fr]

Similar Posts:

On Being Hacked [en]

Similar Posts: