I've Been Exploited - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Infrastructure // PC & Servers
07:37 PM
Allen Stern
Allen Stern

I've Been Exploited

Earlier this week, I converted my main blog from the Drupal content management system to Wordpress. Within 24 hours, I was exploited.

Earlier this week, I converted my main blog from the Drupal content management system to Wordpress. Within 24 hours, I was exploited.I made the decision a couple of weeks ago to move from Drupal to Wordpress for a number of reasons. The process to convert the site wasn't easy and I am working on a technical guide which I will publish later this month. Most of the issue was centered around the URL structure. Drupal has a more complex URL structure which basically broke about 1,000 blog posts which I have been slowly cleaning up the last three days nearly non-stop.

During my URL correction work, I noticed that the blog homepage was shifted to the left. I knew I didn't change the template but since I just completed the template transition to the Wordpress specifications, I started to investigate the shift. After some initial template checks, I looked at the source of the page and am pretty sure I lost several heartbeats. Inside the code of the page were about 250 spam URLs injected into the page.

I had a friend help me diagnose where the spam injection was inside my files and it turned out to be in the overall Wordpress header file. We cleaned it out, changed all of the passwords and re-installed a clean Wordpress installation. The total time the spam injection was live on the site was about two hours.

That amount of time was enough for all of the major search engines to index the updated site with the spam URLs. This has caused Google to flag my blog as "potentially malicious" and I am unsure what it has done to my search rankings but I know my traffic is down significantly. I have started to work on getting it corrected by submitting a "re-inclusion request" via the Google Webmaster tool. I am not sure how long it will take to get this notation removed but they note it could take some time.

Next week I will speak with my web host to learn the technical reasons that this exploit happened. It appears that it was a combination of a file upload and some shell commands.

This is a good example of why it's so important to monitor your site in real-time. You can quickly see incoming traffic patterns and take appropriate action as needed. In my case, I started receiving traffic from MSN Search for some of the keywords in the spam URLs. This tipped me off that there was something weird beyond the template issue I noted above.

At the end of the day, I am glad I switched platforms and eventually Google will help me get the malicious notation corrected. Please use my bad luck as your reason to go and check your blog to make sure you are current in updates and patches. Also check out my guide for creating a backup of your website or blog -- this will help if your site is exploited or compromised.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll