Opened 6 years ago

Closed 6 years ago

#6992 closed Bug/Something is broken (fixed)

Viagra ads when you google our site

Reported by: Liz Mestres Owned by: Ross
Priority: Medium Component: Tech
Keywords: site-compromised google pharma-hack Cc:
Sensitive: no


Here is a link when you google Brecht Forum: Is there anything we can co to fix this?

Change History (6)

comment:1 Changed 6 years ago by Ross

Keywords: site-comprmised added

Hi Liz,

I found one corrupt file 'common.php' in web root. I've moved it to your home directory, out of the way. I don't know if this will fix the problem, but we can wait and see.


comment:2 Changed 6 years ago by Ross

Owner: set to Ross
Status: newassigned

comment:3 Changed 6 years ago by Daniel Kahn Gillmor

Keywords: site-compromised google added; site-comprmised removed

It's probably also worth reviewing the site's database for any corrupted content (e.g. at least mysqldump --skip-extended-insert $dbname | grep -i viagra or something), and checking the modification date on the corrupted file to try to track down when the compromise happened. If some user's password was cracked in order to be able to make these changes, it would be good to know, and worth changing the password on that account.

We can also do better than "wait and see" with regards to google's decisions and representation about the site. google has some directions about what to do to get google to review the site after cleanup (i found that link by clicking on the "this site may be compromised" link from the search page, and then following the webmaster "instructions" link on that page. I know google changes what they display for different people, but those links were there present for me when i followed lmestres's link anyway.

comment:4 Changed 6 years ago by Ross

Keywords: pharma-hack added

I have figured out how the hack worked. It's deemed the Pharma hack and you can read about it here:

In the version you were subject to the hack was able to get write access to the file system and put a php file on the site. I have not figured out how this vulnerability. Once they had write access, they added to the .htaccess file directing all google and yahoo robot traffic to group.php, which subsequently re-wrote the page to include the spam content.

In the process of debugging this site, I also discovered numerous .csv files in the web directory fully accessible, which listed over 2000 brecht forum contacts. You should not be storing such files such that the whole world can download them. I have moved them into ~/backup-csv.

This site really needs to be cleaned up. There is one security update for organic groups that should be implemented immediately, but please try to walk through the whole site and remove any unnecessary or unused modules and content that does not need to be seen by the world...files like this one.

Anyway, I also made the .htaccess file unwritable, so this particular hack should no longer be possible.


comment:5 Changed 6 years ago by Ross

Resolution: fixed
Status: assignedfeedback

comment:6 Changed 6 years ago by automatic

Status: feedbackclosed

No news is good news (we hope)! Given the lack of feedback, we think this ticket can be closed.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.