[Wylug-admin] Fwd: Removal from Google's index - responsibility

Thu Jul 10 16:54:50 UTC 2008

On Thu, 2008-07-10 at 12:01 +0100, Mark P. Conmy wrote:
> > I suspect that some bot has injected the junk either using a known
> > vulnerability in Wordpress or via the normal Wordpress comment process.
> 
> That would be my guess too, but the fact that it was mixed in with
> genuine content suggests either someone put it in deliberately _or_
> modifications to the actual PHP (to append this) _or_ some backdoor that
> modifies (rather than inserting) content.
> 
> Basically, four announcements had significant numbers of drug references
> _appended_.  But, they had style "display:none" which means that while
> they were in the source, they weren't visible.  Why?

I'm responsible for a bunch of Wordpress installations and this happens
often.  Spammers exploit bugs in Wordpress to inject hidden content and
links into legitimate posts.  This usually links to others sites in a
hope to use your search engine page rank to boost the importance of
their crap (often they have huge networks of sites that interlink).  

It's usually done automatically - Wordpress having a roughly standard
installation and considerable "market share" makes it the Windows of web
apps.

There are some things that can be done to make it less vulnerable (make
it less standardised) in addition to keeping it up to date.  Right now,
if we're not running Wordpress 2.5.1, we're very likely vulnerable to
exploitable bugs that spammers are actively using.

> Yes, but who takes _responsibility_?  If I do as you say, what if
> someone else objects?  I want _one_ name or clear agreement on a number
> of names.  And not just on one person's say-so.

It was agreed at the last wylug admin meet (by all present) that I would
take responsibility for finding options for the future of the WYLUG
website.  I haven't done this yet.  I'd be happy to take responsibility
of the current system in the mean time though - I'd think that would be
an acceptable extension of my current responsibilities.

Given shell access to the box I could get Wordpress upgraded (assuming
not too much weirdness in the setup/permissions), and I'd put it on my
Wordpress upgrade procedure so I'd keep it up to date in future (yes I
have a procedure, I have rather a lot of Wordpress sites that need
update rather too often *sighs).

Not sure how we can go about you trusting me to give me access though
Mark as we don't know each other so well.  Dave moreso perhaps, but we
haven't swapped gpg keys or anything :/

John.