Update: 4.7.08 @ 2115h: Looks like ZDNet was hit, as per John’s comment below, via an xml-rpc hack, and no — they aren’t running an old version of WP either, which makes one wonder how vulnerable the newer versions of Wordpress are.
Just to recap: earlier, I documented how Tailrank’s “spam” was accidentally documenting some massive hacking efforts into blogs around the world. What I didn’t realize was that one of the “victims” were one of the more more well known tech blogs in the blogosphere, ZDnet.
Thanks to some intrepid screen capturing it looks like Allen Stern has shown that at one time ZDnet’s own blogs may have been hacked. If you head over to Tailrank, you’ll find that under the “technology” section (as of this writing) there is a ton of credit-card spam. However, as I mentioned yesterday, these are all legitimate blogs that have been hacked.
What’s surprising is that a lot of them are blogs from ZDnet, such as Steve Gillmor’s Inforouter, or ITFacts. As I mentioned yesterday, the probable reason why they are showing up as “spam” is because the security of those blogs were hacked and malicious ‘invisble’ code was inserted, which is what Tailrank is picking up (by accident!)
I was twittering with Matt Craven last night who wondered if Wordpress vulnerabilities were the issue. That, in fact, *may* be the case, as certainly ZDnet are running pretty old versions of Wordpress which are probably sensitive to security breaches — in fact, if you look up the source code, they are running, as of this writing, Wordpress 2.1.3, which, in fact is more than a year old.
addendum: As per John from CNet below, they are not.
As of this writing, it looks like ZDnet has scraped out all of the ‘invisible’ code / links through cleaning up their headers, but they’ll do to upgrade to a more secure version of Wordpress (and its a lesson we should all take heed!).
MORE: Wondering where some of the Wordpress hackers come from? (not all, of course) Abe Olandres, former editor of the BlogHerald, notes that some of them are Philipino. He’s worked on some security problems in Wordpress and has found some of the comments to be in Tagalog. Furthermore, he sheds some light on exactly the kinds of Wordpress exploits that some hackers are using. <Disclaimer: Again, I am not suggesting that all hackers are Philipino, I only use the post to illustrate the issue>
April 7th, 2008 at 12:48 pm | Permalink
[...] 4.7.08: Looks like ZDnet was hacked as well (although they’ve since cleaned [...]
April 7th, 2008 at 3:03 pm | Permalink
Yes.
It looks that ZDNet was hacked too.
We’ve temporarily blacklisted them…. I’m hoping to add them back in soon though.
April 7th, 2008 at 7:53 pm | Permalink
im the web version of columbo :)
just one more question sir
April 7th, 2008 at 8:59 pm | Permalink
Yeh, looks like we were hit by an xml-rpc vulnerability. We fixed it. For reference, we’re not really running 2.1.3.
April 7th, 2008 at 10:12 pm | Permalink
@JFP — thanks for stopping by and clearing that up.
April 8th, 2008 at 6:45 am | Permalink
[...] tagged cravenOwn a Wordpress blog? Make monetization easier with the WP Affiliate Pro plugin. UPDATE: Has ZDnet Been Hacked As Well? saved by 4 others maddiej93 bookmarked on 04/08/08 | [...]
April 8th, 2008 at 7:52 am | Permalink
[...] has discovered that ZDnet appears to have been impacted. In addition, Kevin Burton who is the founder & CEO of Tailrank comments on the significant [...]
April 8th, 2008 at 9:14 am | Permalink
[...] I would encourage folks to read this article and it’s update over on the blog site Deep Jive Interests as they get into more about these attacks that have been [...]
April 8th, 2008 at 10:21 am | Permalink
There can be any number of reasons for the crack—the least of all, I suppose, is due to an older version of WordPress. I think spammers like to go for the maximum effect with minimum effort—like running a single search and replace shell command replacing /body tag with hidden spam links followed by the /body tag again—or something similar. They like to target hosts that are vulnerable—particularly with hundreds of sites hosted under shared host.
In my case when I experienced it, I could see that access to the server was compromised and no amount of file reverting was helping. It would get replaced again and again—after a day or two. From the host-published list of sites, I could see hidden spam links on all sites that were hosted on the server.
So, it’s important to choose a shared host that provides user level access per host, i.e., Isolated Shared Web Hosting—as a minimum.
April 8th, 2008 at 10:44 am | Permalink
[...] Please read Tony’s first article: Breaking! TailRank Exposes Massive Number Of Blogs Hacked and UPDATE: Has ZDnet Been Hacked As Well? [...]
April 8th, 2008 at 3:49 pm | Permalink
[...] que en muchos casos intentan agregar spam links y otras cosillas. Los blogs de ZDnet parecen haber sido una de las víctimas. Si aún están usando una versión atrasada de Wordpress, es hora de ir [...]
April 9th, 2008 at 3:32 am | Permalink
[...] WordPress hidden text exploit I blogged earlier has exploded to epidemic proportions, hitting even big sites like ZDNet. The worst part: ZDNet wasn’t even running an old version of [...]
April 9th, 2008 at 8:39 am | Permalink
[...] Leider kann man sich nicht jedes Plugin auch selbst schreiben und obwohl ich mir schon einige Plugins angesehen und auch umgeschrieben habe schaue ich mir auch nicht jedes Plugin bis in den kleinsten Code Fitzel an. Da vertraue ich dem wordpress plugin Verzeichnis installiere nur wirklich notwendiges und halte das installierte auf dem aktuellsten Stand. Das ist der beste Schutz vor unangenehmen Ueberraschungen und wird leider auch von Grossen Seiten vernachlaessigt. [...]
April 10th, 2008 at 3:20 pm | Permalink
[...] take a more concrete example — the post I wrote a few days ago on Wordpress blogs being hacked and busted into so that they’re part of a sophisticated blog-bot … The inspiration for that came right out of Twitter, thanks to Allen Stern and Duncan Riley’s [...]
April 11th, 2008 at 1:59 pm | Permalink
[...] has discovered that ZDnet appears to have been impacted. In addition, Kevin Burton who is the founder & CEO of Tailrank comments on the significant [...]
April 16th, 2008 at 11:20 am | Permalink
[...] a massive number of Wordpress Blogs were hacked by an organized scheme, including installations at ZDNet, utilizing an xml-rpc vulnerability. Some of the hacks also came in through users downloading [...]