Odd, Spammy Code in the Twitter Blog Post

[Brad Kellett]

If you fire up the Twitter blog post -
http://www.barcampsydney.org/2008/03/06/barcampsydney-now-on-twitter/
- and look at the code, there seem to be some spammy links hidden in
the text, for example:

<li>JJ<noscript>Download <a href="http://www.toques-excelente.com/
avaliacoes-download-de-toques-para-celular.html">http://www.toques-
excelente.com/avaliacoes-download-de-toques-para-celular.html</a>
Jazz: Top Seleções Toques De Celular Ringtones Gratuitos Polifônicos e
Monofônicos.</noscript> Halans: @

Don't know where they are coming from, but someone really needs to
jump into the theme and do a solid clean out of any included JS and
such. No good.

~bck

[russ - maxdesign]

> Don't know where they are coming from, but someone really needs to
> jump into the theme and do a solid clean out of any included JS and
> such. No good.

Good pickup. Removed :)

[Brad Kellett]

Cheers. I think the bigger problem is how these things are making
their way into the site to start with though.

~bck

[John Allsopp]

If the site is run on wordpress, you need to upgrade to 2.3.3, or
upgrade the XML-RPC file in your current instal

More info

http://wordpress.org/development/2008/02/wordpress-233/

john

John Allsopp

style master :: css editor :: http://westciv.com/style_master
about me :: http://johnfallsopp.com
Web Directions Conferences :: http://webdirections.org
My Microformats book :: http://microformatique.com/book

[Brad Kellett]

The site is already running on WP 2.3.3

[John Allsopp]

damned,

thought they'd fixed this problem with 2.3.3 -

john

[Jean-Jacques Halans]

According to Secunia "Successful exploitation requires valid user credentials."
http://secunia.com/advisories/28823/
Maybe look through the registered users and delete all which shouldn't be there?
Let people re-register if they want to post comments. Do you need
comments enabled to begin with?

But might be something else all together...
What version of Apache is it running? Maybe upgrade to latest version
(if you're running your own slice/vm)?
What version of PHP?
What are the access rights on the files and folders?
Are there any additional WP themes installed?

One of my hosts, MediaTemple, updated their php installations in January:
"There is a parameter for php called 'allow_url_fopen' that is
currently enabled in both our PHP4 and PHP5 environments. If the
proper precautions are not taken in PHP a large number of code
injection vulnerabilities frequently reported in PHP-based web
applications are possible. We understand that our customers install a
great number of PHP-driven applications, many of them from the
open-source community. Unfortunately a great number of them can
potentially fall prey to these vulnerabilities. "
Has this been disabled on your server (allow_url_fopen can be found in php.ini)?
While you're at it, have a look at register_globals and turn that off too...

(Djee, I better have another look at my WP installation too...)

JJ

--
Jean-Jacques Halans

================================
> http://www.halans.be
> http://del.icio.us/halans
> http://www.flickr.com/photos/halans/
> http://halans.vox.com/
> http://www.redcrates.com/
> http://www.mapanui.com/
================================

[Brad Kellett]

I guarantee it is something much simpler. The theme already had dogdy
stuff in it that was removed, should start with it and give the code a
good once over. Happy to volunteer for that.

~bck

[Andrew Fong]

Is it worth giving the database the once over as well ? Check the table
contents.

In case someone has injected some code into it somewhere ?

Just a suggestion.

[Ajay Ranipeta]

ok, gonna try and do a full and fresh install and copy data over, v.carefully.. hope that might fix the problem.

thx for picking it up Brad

cheers,
-ajay-