Hacked by keymachine.de
I just noticed that my Wordpress installation got hacked by a search engine spam injection attack sometime in the past few weeks. This particular one inserts invisible text with lots of keywords in footer.php. The changes to the file were made using the built-in theme editor, originating from ns.km20725.keymachine.de, which is currently at 84.19.188.144. The spam campaign automatically updates the spam payload every day or so. The links point to a variety of servers that have also been hacked to host the spam content. Here is a sample: http://www.nanosolar.com/feb3/talk.php?28/82138131762.html
I’ve sent an e-mail to Nanosolar, so they’ll probably have that content cleaned up before long. But the automated SEO spam campaign updates the keyword and link payload regularly, so any affected Wordpress sites will be updated to point at the new hosting victims.
From a quick check on Google, it looks like keymachine.de is a regular offender
Tags: wordpress, sysadmin, spam, security, seo
April 3rd, 2008 at 2:03 am
[…] all bookmarks tagged web developmentOwn a Wordpress blog? Make monetization easier with the WP Affiliate Pro plugin. Hacked by keymachine.de saved by 4 others pskim731 bookmarked on 04/03/08 | www.hojohnlee.com Remix 2008: Developing great applications using AS… saved by 2 others KitsuneKaya bookmarked on 04/03/08 | blog.tatham.oddie.com.au CodeCharge Studio 3.2 for Web Hosting saved by 5 others GOGETHERE bookmarked on 04/03/08 | www.craniumcastle.com Real estate web site template saved by 4 others pskim731 bookmarked on 04/03/08 | websitetemplatedesigner.com Knoxville, TN Web Design saved by 3 others emodemon21 bookmarked on 04/03/08 | rmhager.com Evaluating new product ideas saved by 4 others pskim731 bookmarked on 04/03/08 | www.mehtanirav.com 15 helpful WordPress plugins for the savvy user | … saved by 5 others jackvancouver bookmarked on 04/03/08 | sixrevisions.com Website Security Scanner saved by 4 others SSStylishSwordmaster bookmarked on 02/07/08 | www.dbs-online.com Front End Web Developer vacancy at Dotted Eyes saved by 5 others GOGETHERE bookmarked on 02/07/08 | www.dottedeyes.com Heads up: FOSS flavors of AJAX commercial apps saved by 3 others khayav bookmarked on 02/07/08 | randomspark.wordpress.com Agile Web Development with Rails: Second Edition, … saved by 1 others SasukeSesshomaruKoga bookmarked on 02/07/08 | realimperfection.wordpress.com Mobile Jam Session - Jam on! saved by 3 others khayav bookmarked on 02/07/08 | www.m-trends.org Municipality/eGovernment Website Development Partn… saved by 4 others pskim731 bookmarked on 02/07/08 | blog.3sixtyinteractive.com Firebug 1.1 moving to getfirebug.com saved by 5 others GOGETHERE bookmarked on 02/07/08 | www.getfirebug.com CSS Hack saved by 2 others mountaindewlover78 bookmarked on 02/07/08 | frontierweb.wordpress.com Putting Technology on the Map saved by 5 others GOGETHERE bookmarked on 02/07/08 | www.bluelimemedia.com GIS Web Developer - Ft. Collins, CO saved by 8 others geraldgreen10190 bookmarked on 02/07/08 | gisgig.com […]
April 4th, 2008 at 5:20 pm
Looks like there’s some comment spam, too, judging from the insiteful comment of “web development” who posted a comment before this one
I use the Math Comment Spam Protection plugin (make commenter add two numbers), plus Akismet which seems to keep that junk to a dull roar. I like the math plugin because I don’t have to moderate comments before they are visible.
What’s funny about this is that none of these so-called SEO things work anymore, if they ever did. When I was at Direct Hit/Ask Jeeves, we were detecting invisible text, doorway pages, and all the other stupid tricks that people think work, and that was in 1999 and penalizing sites. Google now reports back to sites that have gotten hit, via their Webmaster Tools.
It’s a strange and bizarre thing indeed, spam and automated fraud. One of the kinds of software development I love best is a) the ability to accurately and quickly recognize patterns, and b) ways to cause the ones doing it to get caught and taken down.
Sigh. The world is not as pure as all that.
Tom
April 4th, 2008 at 8:53 pm
Hi Tom, I like those comment spam plugins too. In this case I think the site administrative credentials were compromised at some point in the past few weeks, since the spam was being inserted directly into the blog template files using the Wordpress theme editor. I’ve blocked the keymachine.de domain and changed the site credentials, which seems to have fixed this for now. I have way too much customization in this installation, next time I’ll probably stick more closely to existing code, instead of hacking in a bunch of ad-hoc changes.
June 12th, 2008 at 6:00 pm
Hey, you were the first relevant Google hit for keymachine.de, who I found in my server logs and investigated (three guesses why I am looking at my server logs). It looks like they are doing direct injection to posts too; in my case the theme editor and blog files weren’t touched, but invisible spam links were being affixed to the end of existing posts. The logs are full of hits to /wp-admin/post.php?action=edit with a referrer of /upload.php?style=inline&tab=upload&post_id=-1
The blog is disabled for now until I can see to it whatever hole these knuckleheads are getting in with has been fixed.
June 22nd, 2008 at 10:16 am
Im Reich der Cyberförster
Deutschland hat das schärfste “Hacker-Tool” Gesetz der Welt, den schärfsten Innenminister seit Anno Reichstoback, die Vorratsdatenspeicherung, den Weltrekord im Abhören von Telefongesprächen, Teilnehmerortung für Mobiltelefone und die verräteri…