UPDATE: Has ZDnet Been Hacked As Well?

by Tony Hung on April 7, 2008

Update: 4.7.08 @ 2115h: Looks like ZDNet was hit, as per John’s comment below, via an xml-rpc hack, and no — they aren’t running an old version of WP either, which makes one wonder how vulnerable the newer versions of WordPress are.

Just to recap: earlier, I documented how Tailrank’s “spam” was accidentally documenting some massive hacking efforts into blogs around the world. What I didn’t realize was that one of the “victims” were one of the more more well known tech blogs in the blogosphere, ZDnet.

Thanks to some intrepid screen capturing it looks like Allen Stern has shown that at one time ZDnet’s own blogs may have been hacked. If you head over to Tailrank, you’ll find that under the “technology” section (as of this writing) there is a ton of credit-card spam. However, as I mentioned yesterday, these are all legitimate blogs that have been hacked.

What’s surprising is that a lot of them are blogs from ZDnet, such as Steve Gillmor’s Inforouter, or ITFacts. As I mentioned yesterday, the probable reason why they are showing up as “spam” is because the security of those blogs were hacked and malicious ‘invisble’ code was inserted, which is what Tailrank is picking up (by accident!)

I was twittering with Matt Craven last night who wondered if WordPress vulnerabilities were the issue. That, in fact, *may* be the case, as certainly ZDnet are running pretty old versions of WordPress which are probably sensitive to security breaches — in fact, if you look up the source code, they are running, as of this writing, WordPress 2.1.3, which, in fact is more than a year old.

addendum: As per John from CNet below, they are not.

As of this writing, it looks like ZDnet has scraped out all of the ‘invisible’ code / links through cleaning up their headers, but they’ll do to upgrade to a more secure version of WordPress (and its a lesson we should all take heed!).

MORE: Wondering where some of the WordPress hackers come from? (not all, of course) Abe Olandres, former editor of the BlogHerald, notes that some of them are Philipino. He’s worked on some security problems in WordPress and has found some of the comments to be in Tagalog. Furthermore, he sheds some light on exactly the kinds of WordPress exploits that some hackers are using. <Disclaimer: Again, I am not suggesting that all hackers are Philipino, I only use the post to illustrate the issue>

25 comments
Share on Twitter, Facebook, Delicious, Digg, Reddit

25 comments

[...] 4.7.08: Looks like ZDnet was hacked as well (although they’ve since cleaned [...]

by Deep Jive Interests » Breaking! TailRank Exposes Massive Number Of Blogs Hacked on April 7, 2008 at 12:48 pm. #

Yes.

It looks that ZDNet was hacked too.

We’ve temporarily blacklisted them…. I’m hoping to add them back in soon though.

by Kevin Burton on April 7, 2008 at 3:03 pm. #

im the web version of columbo :)

just one more question sir

by Allen Stern on April 7, 2008 at 7:53 pm. #

Yeh, looks like we were hit by an xml-rpc vulnerability. We fixed it. For reference, we’re not really running 2.1.3.

by JFP on April 7, 2008 at 8:59 pm. #

@JFP — thanks for stopping by and clearing that up.

by Tony Hung on April 7, 2008 at 10:12 pm. #

[...] tagged cravenOwn a WordPress blog? Make monetization easier with the WP Affiliate Pro plugin. UPDATE: Has ZDnet Been Hacked As Well? saved by 4 others maddiej93 bookmarked on 04/08/08 | [...]

by Pages tagged "craven" on April 8, 2008 at 6:45 am. #

[...] has discovered that ZDnet appears to have been impacted. In addition, Kevin Burton who is the founder & CEO of Tailrank comments on the significant [...]

by Technorati no longer indexing hacked or vulnerable Wordpress blogs : The Blog Herald on April 8, 2008 at 7:52 am. #

[...] I would encourage folks to read this article and it’s update over on the blog site Deep Jive Interests as they get into more about these attacks that have been [...]

by Voice of VOIPSA » Blog Archive » This blog site was hacked - how it was done and why you need to upgrade WordPress NOW! on April 8, 2008 at 9:14 am. #

There can be any number of reasons for the crack—the least of all, I suppose, is due to an older version of WordPress. I think spammers like to go for the maximum effect with minimum effort—like running a single search and replace shell command replacing /body tag with hidden spam links followed by the /body tag again—or something similar. They like to target hosts that are vulnerable—particularly with hundreds of sites hosted under shared host.

In my case when I experienced it, I could see that access to the server was compromised and no amount of file reverting was helping. It would get replaced again and again—after a day or two. From the host-published list of sites, I could see hidden spam links on all sites that were hosted on the server.

So, it’s important to choose a shared host that provides user level access per host, i.e., Isolated Shared Web Hosting—as a minimum.

by Chetan Kunte on April 8, 2008 at 10:21 am. #

[...] Please read Tony’s first article: Breaking! TailRank Exposes Massive Number Of Blogs Hacked and UPDATE: Has ZDnet Been Hacked As Well? [...]

by Your Blog Might Be Hacked » Webomatica - Technology and Entertainment Digest on April 8, 2008 at 10:44 am. #

[...] que en muchos casos intentan agregar spam links y otras cosillas. Los blogs de ZDnet parecen haber sido una de las víctimas. Si aún están usando una versión atrasada de WordPress, es hora de ir [...]

by Technorati no indexará blogs vulnerables on April 8, 2008 at 3:49 pm. #

[...] WordPress hidden text exploit I blogged earlier has exploded to epidemic proportions, hitting even big sites like ZDNet. The worst part: ZDNet wasn’t even running an old version of [...]

by WordPress Hack Epidemic! on April 9, 2008 at 3:32 am. #

[...] Leider kann man sich nicht jedes Plugin auch selbst schreiben und obwohl ich mir schon einige Plugins angesehen und auch umgeschrieben habe schaue ich mir auch nicht jedes Plugin bis in den kleinsten Code Fitzel an. Da vertraue ich dem wordpress plugin Verzeichnis installiere nur wirklich notwendiges und halte das installierte auf dem aktuellsten Stand. Das ist der beste Schutz vor unangenehmen Ueberraschungen und wird leider auch von Grossen Seiten vernachlaessigt. [...]

by wordpress sicherheitsaspekte oder warum fremde themes und plugins riskant sind | linux,macs, asterisk und anderes on April 9, 2008 at 8:39 am. #

[...] take a more concrete example — the post I wrote a few days ago on WordPress blogs being hacked and busted into so that they’re part of a sophisticated blog-bot … The inspiration for that came right out of Twitter, thanks to Allen Stern and Duncan Riley’s [...]

by Deep Jive Interests » In Defense Of Twitter (Not That It Needs Defending, But … ) on April 10, 2008 at 3:20 pm. #

[...] has discovered that ZDnet appears to have been impacted. In addition, Kevin Burton who is the founder & CEO of Tailrank comments on the significant [...]

by More On Hidden Blog Spam | Christopher Hedges on April 11, 2008 at 1:59 pm. #

[...] a massive number of WordPress Blogs were hacked by an organized scheme, including installations at ZDNet, utilizing an xml-rpc vulnerability. Some of the hacks also came in through users downloading [...]

by DrakNet Web Hosting on April 16, 2008 at 11:20 am. #

[...] of clicking on an unverified link on this site. But we also need to keep in mind when sites like ZDnet can get hacked, nobody is really [...]

by Upgrading To Wordpress 2.5 | TechBanyan on July 5, 2008 at 5:20 pm. #

[...] Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well Posted by root 1 day 2 hours 13 minutes ago (http://www.deepjiveinterests.com) Update 4 7 08 2115h looks like zdnet was hit as per john comment below furthermore he sheds some light on exactly the kinds of wordpress exploits take a more concrete example the post i wrote a few days ago on wordpress blogs richard hung proudly powered Discuss | Bury | News | deep jive interests update has zdnet been hacked as well [...]

by Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well | Shed Kits on May 27, 2009 at 1:25 am. #

[...] Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well Posted by root 4 hours ago (http://www.deepjiveinterests.com) Update 4 7 08 2115h looks like zdnet was hit as per john comment below wordpress hack epidemic april 9th 2008 at 3 32 am permalink nur wirklich notwendiges und halte das installierte auf dem aktuellsten stand days ago on wordpress blogs richard hung proud Discuss | Bury | News | Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well [...]

by Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well | Wood TV Stand on June 2, 2009 at 7:34 pm. #

Great website, well researched and well written, thanks for sharing.

by Deep Voice on June 7, 2009 at 5:55 am. #

[...] Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well Posted by root 9 days ago (http://www.deepjiveinterests.com) Update 4 7 08 2115h looks like zdnet was hit as per john comment a few days ago on wordpress blogs richard hung proudly powered discuss bury Discuss | Bury | News | Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well [...]

by Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well | Patio Chairs on June 12, 2009 at 7:32 am. #

by deeper voice on July 8, 2009 at 10:41 am. #

like running a single search and replace shell command replacing /body tag with hidden spam links followed by the /body tag again

by Deeper Voice on July 19, 2009 at 8:29 am. #

It would get replaced again and again—after a day or two. From the host-published list of sites, I could see hidden spam links on all sites that were hosted on the server.

by RegCure Review on October 29, 2009 at 5:50 am. #

my God, i thought you were heading to chip in with some decisive insght on the finish there, not leave it
with ‘we go away it to you to decide’.

by Margorie Wiedman on January 12, 2011 at 12:58 am. #

Leave your comment

Name
Email Not published.
Website If you have one.
Comment

Deep Jive Interests