Categories
Digital Culture Technology

Interesting WP Spam Hack

A really interesting spam hack popped onto my radar today. Here’s the post from the LITABlog, as seen in browser:

LITABlog Spam Hack

Here’s the bottom of the post. Nothing unusual, right?

LITABlog Spam Hack

Here’s the same post in Google Reader:

LITABlog Spam Hack

Spamolicious! Where the hell did all that come from? From this little piece of code in the post:

LITABlog Spam Hack

A hidden bit of code in the bottom of the post. I hadn’t seen this before, but Joshua M. Neff told me it happened to him as well. In the comments there was a link to the wordpress developer’s blog about a similar issue…but not an identical issue. I don’t think this is necessarily a SQL injection issue.

So: anyone have any thoughts? How did that code get put into an existing post? LITABlog is running the latest version of WordPress, so it’s not that. I don’t see any more of them, but I won’t unless I look through the code manually or whip up some SQL-fu that greps for the hidden css string. Which I will do if I must, but I thought maybe someone out there had a better idea. 🙂

By griffey

Jason Griffey is the Director of Strategic Initiatives at NISO, where he works to identify new areas of the information ecosystem where standards expertise is useful and needed. Prior to joining NISO in 2019, Jason ran his own technology consulting company for libraries, has been both an Affiliate at metaLAB and a Fellow and Affiliate at the Berkman Klein Center for Internet & Society at Harvard University, and was an academic librarian in roles ranging from reference and instruction to Head of IT at the University of TN at Chattanooga.

Jason has written extensively on technology and libraries, including multiple books and a series of full-periodical issues on technology topics, most recently AI & Machine Learning in Libraries and Library Spaces and Smart Buildings: Technology, Metrics, and Iterative Design from 2018. His newest book, co-authored with Jeffery Pomerantz, will be published by MIT Press in 2024.

He has spoken internationally on topics such as artificial intelligence & machine learning, the future of technology and libraries, decentralization and the Blockchain, privacy, copyright, and intellectual property. A full list of his publications and presentations can be found on his CV.
He is one of eight winners of the Knight Foundation News Challenge for Libraries for the Measure the Future project (http://measurethefuture.net), an open hardware project designed to provide actionable use metrics for library spaces. He is also the creator and director of The LibraryBox Project (http://librarybox.us), an open source portable digital file distribution system.

Jason can be stalked obsessively online, and spends his free time with his daughter Eliza, reading, obsessing over gadgets, and preparing for the inevitable zombie uprising.

6 replies on “Interesting WP Spam Hack”

SQL Injection would be my first guess, but its possible that a javascript attack could work as well. Untested, but I wonder if the permitted emphasis or bold tags could be exploited to make that happen.

I’d also check within the email or website fields. . .

More weirdness: when it happened to me, it didn’t show up in Bloglines but it did in Google Reader.

I removed the spam from the two posts on my blog and that seemed to solve the problem. Haven’t had it happen since.

this happened to the Library Student Journal blog which is hosted by LISHost. the wonderful Blake helped me out but it was too late – the blog was not salvageable. but maybe he knows how to fix it?

Well…its not an out of date install. We’re current on that. It’s not a single password/user combo, because it was done on 5 different posts with 3 different users. Possibly a plugin…3 of the posts were podcasts, with associated plugin goodness.

I’ll keep digging. For now, everything is fixed.

SQL Injection would be my first guess, but its possible that a javascript attack could work as well. Untested, but I wonder if the permitted emphasis or bold tags could be exploited to make that happen.I'd also check within the email or website fields. . .

Leave a Reply

Your email address will not be published. Required fields are marked *