Interesting WordPress spam

I just caught and stopped an interesting spam attack for my WordPress installation. Someone had the admin password and put dozens of spam links into the most recent post. That in itself isn’t too interesting other than how they got the login (I had used an out of date version of WordPress for a while, though the spam did start after upgrading to the latest), but interestingly the spammer updated the post about a dozen times, alternating between removing the spam and then adding in new sets of links. That’s how I hadn’t noticed it, I just happened to view the post when it was normal. The links themselves were never visible, they were in an HTML comment and CSS styled to not show, which also made it more difficult to detect. WordPress keeps all revisions now, but it doesn’t track info on them other than author. It would be nice to have the IP of this joker so I can have some fun, for that I’ll have to dig through my logs.

The spam links themselves were mostly to other sites where you could set up an account (like College Humor) and on those pages were finally the links to a scuzzy site selling questionable pharmaceuticals shipped directly from India. It’s a global enterprise–product from India, a customer service number in Texas and the domain registration in Estonia.

Update: After digging through logs it looks like it was an attack on the XML-RPC feature in WordPress. Adding to the global enterprise, the attack was from Latvia and the IP (91.203.68.3) is a known spammer. I don’t use XML-RPC so I took the easy way out and deleted the file. This had been a vulnerability before, but was supposedly fixed. Either way, it’s gone.