Monday March 24, 2008 Seapegasus Blog
Monday March 24, 2008 My brother just discovered a mean blog content hack in an RSS feed. Somebody managed to insert a div with spam text into a blog entry's content (and in one case even into the description meta tag). As opposed to 'normal' comment spam (see rel=nofollow), content spam makes it look as if the blogger recommended the link, which (I presume) gives it a higher google ranking.
So why does the blogger not notice the inserted text? The height and width of the div are zero, so the text is hidden. Some feedreaders however preview entries without div styles, so the inserted text is visible in the RSS feed.
By googling for variations of the link text, I found 7 more blogs. Sure, eight is far from a botnet epidemic. Still it's strange how the same hidden text turns up in the content of eight unrelated blogs. Do they have anything in common?
The eight cases I saw all run on Wordpress, but on different versions. This still does not explain why only these eight were affected. If someone had 'teh über h4ck' to insert arbitrary text into other people's blogs, there'd be A LOT more cases, you would think. So is the common denominator something more simple, such as a weak password? But then, why only wordpress...?
If you have a wordpress blog, please quickly search the page source for a div with style='overflow:auto;width:0;height:0; and tell us whether you got one too. I'd really like to get to the bottom of this Easter mystery...
PS: Update
OK, I found out more. Somebody indeed exploited a bug in WordPress' XML-RPC interface to insert text into certain versions of WordPress blogs. They patched it, but users didn't update.
- 2008.02.05 - WordPress releases warning and patch
- 2008.02.05 - heise.de news about wordpress vulnerability, recommends patch
- 2008.02.12 - Technorati recommends patch
- 2008.03.24 - Blogger Bontb tracks down the problem in his blog
- 2008.04.07 - Technorati reminds about patch, warns about consequences (blogs not getting index)
- 2008.04.07 - Blogger DeepJive analyses the blog hack and its consequences: OMG!
- 2008.04.09 - heise.de news reminds bloggers about continuing sneaky blog spam
Do CMS providers like wordpress have something like the netbeans update center? Can they send users a message reminding them to update? I assume not (unless the user signs up to a mailinglist). :(
The recommendation is not only to update to the latest patched version, you also should change your password.
Posted by seapegasus ( Mar 24 2008, 09:01:43 PM CET ) Permalink Comments [5]
