Black Hattery

While going through my server logs a week back, I noticed some odd traffic. The site was getting hits from keywords like “Viagra” and “Cialis.” This is strange, considering that I’ve never really had much interest in, ahem, male enhancement products. When I checked my site in Google, I found this bit of oddness:

I did some research, and the diagnosis seemed to be that the site had been hacked.

Except it hadn’t. I went through and checked for all of the usual symptoms, but found none. File permissions and timestamps were unchanged. There was no unusual FTP traffic. My database was clean. I followed Chris Pearson’s advice and checked for rogue files. There were none. I ran Cotton Rohrscheib’s scripts against everything, but I found no base64_decode functions other than where they should be. My theme files are hand-coded, so it was a trivial matter to rule out tampering.

WordPress wasn’t the problem. My server wasn’t the problem. Foreigners and hippies weren’t the problem.

That leaves Google.

After some digging, I found that there are scads of zombie sites linking to mine. Each of those sites has over two dozen links to this site, chosen seemingly at random. The links are buried in meta tags.  Something’s getting bounced in transit, but when followed, those links are feeding misleading keywords about my site to the spiders.

In some cases, the exploited sites look normal, but have incorrect page titles listed in Google. As with mine, clicking on the erroneous result took the user to the right page. On others, following the link triggers a redirect to one of several online pharmacy sites. All of the compromised sites show some evidence of an exploit, and most of them are not running WordPress. It should also be noted that they are on several different hosts, so it’s not unique to one provider.

Once I verified that my site was clean (and locked down), I resubmitted each for recrawl, and over the last week, the anomaly seems to be fixing itself. The troubling thing is, I have no clue how it happened in the first place. That means I’m not sure how to prevent its recurrence. Google’s got a hole somewhere, and somebody’s gaming it.

The only other measure I was able to take was to block referrals from the rogue sites. If one of these is yours, you need to check it over, because it’s part of the problem:

blackoutmusique.com
itma.ie
hip-hopkings.com
expeditionportal.com
yallavote.org
androidmarket.cz
junowebdesign.com
gordonunleashed.com
fsasic.com
sustainabilityinstitute.net
spunk.com.au
collegecounseling.org
qampanswers.com
aaupnet.org
elephantlarry.com
beyoncehq.com
marketingimpressions.ie
lucesdebar.com
beokon.com
mfs.org
himalayastudios.com
anewdayforimmigration.org
aaupnet.org
inetgiant.com

The only means of prevention I can suggest is to lock your site down as well as possible. Check file permissions, particularly in the WordPress folder. Directories should be set to 755. If you have SSH access, this is the easiest way to do it:

find -type d -exec chmod 755 {} \;

To set files to 644:

find -type f -exec chmod 644 {} \;

The zombie sites appear to have been hit with the textbook Pharma hack which targets two files: wp-config.php, which should be set to 750, and .htaccess. The best way to secure the latter is to do so from within. Insert this block in the body of the file:

# lock down .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>

Beyond that, I’ve got nothing.  To recapitulate:  I didn’t have to do anything to my site to fix this.  All I did was block the sites flooding me with links and resubmit to Google.  If this happens to you, your site might be infected, or it might not. Maybe someone smarter can chime in, but I can’t discern the mechanism or the vector for the problem.

Postscript:  there also appears to be some intentional redirection going on as well.  Same strategy, just more overt.