1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Advice] check your wordpress site for porn pages

Discussion in 'BlackHat Lounge' started by nikao, Mar 2, 2012.

  1. nikao

    nikao Power Member

    Joined:
    Oct 14, 2011
    Messages:
    518
    Likes Received:
    180
    Home Page:
    not sure if this is already generally known and I'm exposing myself as a giant n00b, (can't deny what you are right? ; )) but I found a lot of porn pages (daily pages so it seems) placed inside folders called /editor/ , /task/, /system/ and /embed/ inside the /wp-content/ folder

    I checked backlinks using ahref and it showed a strange page with russian links pointing at it. Opening that page in the browser showed me some sort of adult page, and in that same folder I found many more.

    These links didn't show up in google webmaster tools, probably due to the fact that they the pages aren't included in my sitemap of course.
    But, this is a new site that was stuck dancing between rank 700-40 and I think I may have found the reason why.

    No idea how it happened, file/folder permissions were default.

    Better check your sites!
     
    Last edited: Mar 2, 2012
  2. nikao

    nikao Power Member

    Joined:
    Oct 14, 2011
    Messages:
    518
    Likes Received:
    180
    Home Page:
    google indexed 55 of those pages on the site.
    Is removing the pages enough? anything else I could do to make this right? (no i'm not 301 redirecting those pages, don't want the adult links pointing at this site ;) )
     
  3. nikao

    nikao Power Member

    Joined:
    Oct 14, 2011
    Messages:
    518
    Likes Received:
    180
    Home Page:
    doesn't really seem to be a generally used exploit or something.. a quick search in google returned around 10.000 indexed pages for the /editor/ and /task/ folders..

    [edit] found more folders, /system/ has 10.000 index pages as well, and /embed/ 7000...
    god knows how many different folders they use ;)
     
    Last edited: Mar 2, 2012
  4. xbones

    xbones Newbie

    Joined:
    Feb 13, 2012
    Messages:
    22
    Likes Received:
    2
    looks like an attack?

    which host are you using?
     
  5. nikao

    nikao Power Member

    Joined:
    Oct 14, 2011
    Messages:
    518
    Likes Received:
    180
    Home Page:
    the site that is affected is sitting on a dutch host, other sites I have there are not affected.
    My guess is that it might have to be a plugin. Going to leave all my plugins as is to see if additional pages are still added after I deleted all of them now.
     
  6. nikao

    nikao Power Member

    Joined:
    Oct 14, 2011
    Messages:
    518
    Likes Received:
    180
    Home Page:
    I guess no one is having this problem according to the lack of any replies, but just wanted to add that there was also malicious code inserted on every page that placed porn links via javascript.
    The code was added between the </head> and </body> tag.

    It was done via the index.php file in the root. Just remove all the code other than the loading of the template.
     
  7. Kamilion

    Kamilion Regular Member

    Joined:
    May 8, 2009
    Messages:
    217
    Likes Received:
    31
    It happened to me several months ago,i immediately contacted my host provider,and the found another IP accessing my cpanel,they banned that IP. but all my sites got blacklisted with tens of thousands spam pages. Still,dont know,how someone managed to enter my cpanel,i have very strong pass and i change it often.

    Contact your provider to check the logs,i am sure you will find another IP address accessing your cpanel