Uli's Web Site
[ Zathras.de - Uli's Web Site ]
Other Sites: Stories
Abi 2000
Stargate: Resurgence
Lost? Site Map!
     home | blog | moose | programming | articles >> blog

 Blog Topics

15 Most Recent [RSS]

 Less work through Xcode and shell scripts
2011-12-16 @600
 iTunesCantComplain released
2011-10-28 @954
 Dennis Ritchie deceased
2011-10-13 @359
 Thank you, Steve.
2011-10-06 @374
 Cocoa Text System everywhere...
2011-03-27 @788
 Blog migration
2011-01-29 @520
 All you need to know about the Mac keyboard
2010-08-09 @488
 Review: Sherlock
2010-07-31 @978
 Playing with Objective C on Debian
2010-05-08 @456
 Fruit vs. Obst
2010-05-08 @439
 Mixed-language ambiguity
2010-04-15 @994
 Uli's 12:07 AM Law
2010-04-12 @881
 Uli's 1:24 AM Law
2010-04-12 @874
 Uli's 6:28 AM Law
2010-04-12 @869
 Uli's 3:57 PM Law
2010-04-12 @867


Insidious Aspma dot Com WordPress Hack!

It appears a site named aspma.com is laying Google-bait by hacking into other websites. The only common denominator I've found so far is that the sites all seem to be using WordPress, and they seem to be inserting their spam into the actual post message. The insidious thing about this hack is they're using the following code fragment (link replaced with 'xxx'):

<div class='fds432' style='overflow:auto;width:0;height:0;'>
<p>Do you want <a href="xxx">download mp3 music</a> from online mp3 archive,
You find where <a href="xxx">mp3 music download</a> for mp3 player.</p></div></p>

Yes, ladies and gentlemen, this is a DIV with width and height set to zero. This means that it doesn't show up when you look at your page, only in the RSS feed if you're lucky, or when you search the page source code. However, it is visible on the site for Google, which thinks the hacked site was linking to that target site.

A quick search on Google by my sister already found seven infected sites, and that is not counting the site I found it on (it's a tad hard to google for this term).

If you have a web site, I recommend you search your own site for such width:0 and height:0 tags and similar invisible content. Google Blog Search seems to be a good tool for finding some infected sites, though apparently not all of them, so try several.

Update: Peter Hosey is currently investigating this matter, and according to him it looks like they're going through WordPress' xmlrpc.php file, and there seems to be increased traffic hitting that file.

Reader Comments: (RSS Feed)
No comments yet
Comment on this article:
E-Mail: (not shown, hashed for Gravatar)
Web Site URL: (optional)
Comment: (plain text only)
Please Enter the following word:
Or E-Mail Uli privately.

Created: 2008-03-24 @506 Last change: 2008-03-25 @764 | Home | Admin | Edit
© Copyright 2003-2015 by M. Uli Kusterer, all rights reserved.