Insidious Aspma dot Com WordPress Hack!

It appears a site named aspma.com is laying Google-bait by hacking into other websites. The only common denominator I've found so far is that the sites all seem to be using WordPress, and they seem to be inserting their spam into the actual post message. The insidious thing about this hack is they're using the following code fragment (link replaced with 'xxx'):

<div class='fds432' style='overflow:auto;width:0;height:0;'>

<p>Do you want <a href="xxx">download mp3 music</a> from online mp3 archive,

You find where <a href="xxx">mp3 music download</a> for mp3 player.</p></div></p>

Yes, ladies and gentlemen, this is a DIV with width and height set to zero. This means that it doesn't show up when you look at your page, only in the RSS feed if you're lucky, or when you search the page source code. However, it is visible on the site for Google, which thinks the hacked site was linking to that target site.

A quick search on Google by my sister already found seven infected sites, and that is not counting the site I found it on (it's a tad hard to google for this term).

If you have a web site, I recommend you search your own site for such width:0 and height:0 tags and similar invisible content. Google Blog Search seems to be a good tool for finding some infected sites, though apparently not all of them, so try several.

Update: Peter Hosey is currently investigating this matter, and according to him it looks like they're going through WordPress' xmlrpc.php file, and there seems to be increased traffic hitting that file.

Reader Comments: (RSS Feed)

No comments yet

Comment on this article: Name: E-Mail: (not shown, hashed for Gravatar) Web Site URL: (optional) Comment: (plain text only) Please Enter the following word:

Or E-Mail Uli privately.