Update: 4.7.08 @ 2115h: Looks like ZDNet was hit, as per John’s comment below, via an xml-rpc hack, and no — they aren’t running an old version of WP either, which makes one wonder how vulnerable the newer versions of Wordpress are.
Just to recap: earlier, I documented how Tailrank’s “spam” was accidentally documenting some massive hacking efforts into blogs around the world. What I didn’t realize was that one of the “victims” were one of the more more well known tech blogs in the blogosphere, ZDnet.
Thanks to some intrepid screen capturing it looks like Allen Stern has shown that at one time ZDnet’s own blogs may have been hacked. If you head over to Tailrank, you’ll find that under the “technology” section (as of this writing) there is a ton of credit-card spam. However, as I mentioned yesterday, these are all legitimate blogs that have been hacked.
What’s surprising is that a lot of them are blogs from ZDnet, such as Steve Gillmor’s Inforouter, or ITFacts. As I mentioned yesterday, the probable reason why they are showing up as “spam” is because the security of those blogs were hacked and malicious ‘invisble’ code was inserted, which is what Tailrank is picking up (by accident!)
I was twittering with Matt Craven last night who wondered if Wordpress vulnerabilities were the issue. That, in fact, *may* be the case, as certainly ZDnet are running pretty old versions of Wordpress which are probably sensitive to security breaches — in fact, if you look up the source code, they are running, as of this writing, Wordpress 2.1.3, which, in fact is more than a year old.
addendum: As per John from CNet below, they are not.
As of this writing, it looks like ZDnet has scraped out all of the ‘invisible’ code / links through cleaning up their headers, but they’ll do to upgrade to a more secure version of Wordpress (and its a lesson we should all take heed!).
MORE: Wondering where some of the Wordpress hackers come from? (not all, of course) Abe Olandres, former editor of the BlogHerald, notes that some of them are Philipino. He’s worked on some security problems in Wordpress and has found some of the comments to be in Tagalog. Furthermore, he sheds some light on exactly the kinds of Wordpress exploits that some hackers are using. <Disclaimer: Again, I am not suggesting that all hackers are Philipino, I only use the post to illustrate the issue>
9 Comments
Yes.
It looks that ZDNet was hacked too.
We’ve temporarily blacklisted them…. I’m hoping to add them back in soon though.
im the web version of columbo :)
just one more question sir
Yeh, looks like we were hit by an xml-rpc vulnerability. We fixed it. For reference, we’re not really running 2.1.3.
@JFP — thanks for stopping by and clearing that up.
There can be any number of reasons for the crack—the least of all, I suppose, is due to an older version of WordPress. I think spammers like to go for the maximum effect with minimum effort—like running a single search and replace shell command replacing /body tag with hidden spam links followed by the /body tag again—or something similar. They like to target hosts that are vulnerable—particularly with hundreds of sites hosted under shared host.
In my case when I experienced it, I could see that access to the server was compromised and no amount of file reverting was helping. It would get replaced again and again—after a day or two. From the host-published list of sites, I could see hidden spam links on all sites that were hosted on the server.
So, it’s important to choose a shared host that provides user level access per host, i.e., Isolated Shared Web Hosting—as a minimum.
Great website, well researched and well written, thanks for sharing.
There can be any number of reasons for the crack—the least of all, I suppose, is due to an older version of WordPress. I think spammers like to go for the maximum effect with minimum effort—like running a single search and replace shell command replacing /body tag with hidden spam links followed by the /body tag again—or something similar. They like to target hosts that are vulnerable—particularly with hundreds of sites hosted under shared host.
like running a single search and replace shell command replacing /body tag with hidden spam links followed by the /body tag again
It would get replaced again and again—after a day or two. From the host-published list of sites, I could see hidden spam links on all sites that were hosted on the server.
15 Trackbacks
[...] 4.7.08: Looks like ZDnet was hacked as well (although they’ve since cleaned [...]
[...] tagged cravenOwn a Wordpress blog? Make monetization easier with the WP Affiliate Pro plugin. UPDATE: Has ZDnet Been Hacked As Well? saved by 4 others maddiej93 bookmarked on 04/08/08 | [...]
[...] has discovered that ZDnet appears to have been impacted. In addition, Kevin Burton who is the founder & CEO of Tailrank comments on the significant [...]
[...] I would encourage folks to read this article and it’s update over on the blog site Deep Jive Interests as they get into more about these attacks that have been [...]
[...] Please read Tony’s first article: Breaking! TailRank Exposes Massive Number Of Blogs Hacked and UPDATE: Has ZDnet Been Hacked As Well? [...]
[...] que en muchos casos intentan agregar spam links y otras cosillas. Los blogs de ZDnet parecen haber sido una de las víctimas. Si aún están usando una versión atrasada de Wordpress, es hora de ir [...]
[...] WordPress hidden text exploit I blogged earlier has exploded to epidemic proportions, hitting even big sites like ZDNet. The worst part: ZDNet wasn’t even running an old version of [...]
[...] Leider kann man sich nicht jedes Plugin auch selbst schreiben und obwohl ich mir schon einige Plugins angesehen und auch umgeschrieben habe schaue ich mir auch nicht jedes Plugin bis in den kleinsten Code Fitzel an. Da vertraue ich dem wordpress plugin Verzeichnis installiere nur wirklich notwendiges und halte das installierte auf dem aktuellsten Stand. Das ist der beste Schutz vor unangenehmen Ueberraschungen und wird leider auch von Grossen Seiten vernachlaessigt. [...]
[...] take a more concrete example — the post I wrote a few days ago on Wordpress blogs being hacked and busted into so that they’re part of a sophisticated blog-bot … The inspiration for that came right out of Twitter, thanks to Allen Stern and Duncan Riley’s [...]
[...] has discovered that ZDnet appears to have been impacted. In addition, Kevin Burton who is the founder & CEO of Tailrank comments on the significant [...]
[...] a massive number of Wordpress Blogs were hacked by an organized scheme, including installations at ZDNet, utilizing an xml-rpc vulnerability. Some of the hacks also came in through users downloading [...]
[...] of clicking on an unverified link on this site. But we also need to keep in mind when sites like ZDnet can get hacked, nobody is really [...]
[...] Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well Posted by root 1 day 2 hours 13 minutes ago (http://www.deepjiveinterests.com) Update 4 7 08 2115h looks like zdnet was hit as per john comment below furthermore he sheds some light on exactly the kinds of wordpress exploits take a more concrete example the post i wrote a few days ago on wordpress blogs richard hung proudly powered Discuss | Bury | News | deep jive interests update has zdnet been hacked as well [...]
[...] Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well Posted by root 4 hours ago (http://www.deepjiveinterests.com) Update 4 7 08 2115h looks like zdnet was hit as per john comment below wordpress hack epidemic april 9th 2008 at 3 32 am permalink nur wirklich notwendiges und halte das installierte auf dem aktuellsten stand days ago on wordpress blogs richard hung proud Discuss | Bury | News | Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well [...]
[...] Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well Posted by root 9 days ago (http://www.deepjiveinterests.com) Update 4 7 08 2115h looks like zdnet was hit as per john comment a few days ago on wordpress blogs richard hung proudly powered discuss bury Discuss | Bury | News | Deep Jive Interests UPDATE Has ZDnet Been Hacked As Well [...]