[Wylug-admin] Fwd: Removal from Google's index - responsibility

[Mark P. Conmy]

On Thu, 10 Jul 2008, John Leach wrote:
> On Thu, 2008-07-10 at 12:01 +0100, Mark P. Conmy wrote:
>>> 
>>> I suspect that some bot has injected the junk either using a known
>>> vulnerability in Wordpress or via the normal Wordpress comment process.
>>
>> That would be my guess too, but the fact that it was mixed in with
>> genuine content suggests either someone put it in deliberately _or_
>> modifications to the actual PHP (to append this) _or_ some backdoor that
>> modifies (rather than inserting) content.
>>
>> Basically, four announcements had significant numbers of drug references
>> _appended_.  But, they had style "display:none" which means that while
>> they were in the source, they weren't visible.  Why?
>
> I'm responsible for a bunch of Wordpress installations and this happens
> often.  Spammers exploit bugs in Wordpress to inject hidden content and
> links into legitimate posts.  This usually links to others sites in a
> hope to use your search engine page rank to boost the importance of
> their crap (often they have huge networks of sites that interlink).
>
> It's usually done automatically - Wordpress having a roughly standard
> installation and considerable "market share" makes it the Windows of web
> apps.

And being based on PHP, the best magnet for dodgy web developers...

> There are some things that can be done to make it less vulnerable (make
> it less standardised) in addition to keeping it up to date.  Right now,
> if we're not running Wordpress 2.5.1, we're very likely vulnerable to
> exploitable bugs that spammers are actively using.
>
>> Yes, but who takes _responsibility_?  If I do as you say, what if
>> someone else objects?  I want _one_ name or clear agreement on a number
>> of names.  And not just on one person's say-so.
>
> It was agreed at the last wylug admin meet (by all present) that I would
> take responsibility for finding options for the future of the WYLUG
> website.  I haven't done this yet.  I'd be happy to take responsibility
> of the current system in the mean time though - I'd think that would be
> an acceptable extension of my current responsibilities.
>
> Given shell access to the box I could get Wordpress upgraded (assuming
> not too much weirdness in the setup/permissions), and I'd put it on my
> Wordpress upgrade procedure so I'd keep it up to date in future (yes I
> have a procedure, I have rather a lot of Wordpress sites that need
> update rather too often *sighs).

Oh, there's weirdness, not least being safe_mode.

Personally, I would prefer PHP was avoided.

> Not sure how we can go about you trusting me to give me access though
> Mark as we don't know each other so well.  Dave moreso perhaps, but we
> haven't swapped gpg keys or anything :/

I can pass on the password on Monday in person.

Mark