• November 30th, 2007

      How to Remove Wordpress.net.in Spam Injection How to Remove Wordpress.net.in Spam Injection

      wordpress-blackhat-seo-spam.png image by chaoskaizerI found this while browsing WordPress support forum, some of these victims update their default_filters.php and upload class-mail.php inside their WordPress without being aware that it’s a backdoor (wordpress.net.in). There is no class-mail.php in WordPress except class-phpmailer.php. So don’t get confuse by it.

      Below is a quick workaround on how you can removed the offending goro spamware injection before Google banned you from the internet pipes.

      Workaround

      • For temporary disable remote include in php.ini settings. 
        ;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = off
allow_url_include = off
      • Check your .htaccess for suspicious redirect.
      • Find class-mail.php inside “*/wp-includes/” directory and removed it.
      • Find the following code inside “*/wp-includes/default_filters.php” and removed it 
        add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
function wpc7c16<>b8466d864eeefd20050625c7775() {
@include(’./wp-includes/class-mail.php’);
if(sizeof($wparr)>0){
echo “!div id=\”goro\”!”;
foreach($wparr as $k=>$v){
echo ““.ucwords($v[’key’]).”\n”;
if($i++==$inum) break;
}
echo “!/div!”.$_footer;
}
}

      • Robots.txt Exclusion

        Optional - Prevent googlebot from indexing the static spam page.
        Login to Wordpress Admin > Manage > Files > Other Files → Key in “Robots.txt”. Add the following code.

        User-agent: Googlebot
Disallow: /*?*
Disallow: /*?

        Refer robots.txt.

      Possible WordPress class (suspicious) files that would be tempered

      Md5 checksum the following files, compare it with official versions from WordPress Release Archive.

      The above methods only remove and disabled the spams links, there is no guarantee that it will protected you from future vulnerabilities. Backup (or export your post using WordPress eXtended RSS -WRX) and perform a full upgrade.

      Dec 13, 2007

      I just notice this recently. You’ll need to check your site HTTP Header. Most of the hijacked websites doesn’t response with correct HTTP Status Header (400<>500). My guess is they did this to cloak from being crawl by search engine spiders. If you had cleaned all the infected files and your header doesn’t response correctly get a rookit scanner.

      Check your website status header, try cloak your browser (UA) as Search Engine Crawler. The following screenshot will show you how to setup this at web-sniffer.net.

      change user agent strings as googlebot

      This methods may not work if the cloaking scripts used IP base tracking. So try on different user agent string (ie: inoktomi, askjeeves, ia_archiver).

      Firefox Browser

      You can also override your useragent string with firefox ↓.

      about:config → general.useragent.overide = ‘ua strings

      Wordpress.net.in Backdoor

      Extra info

      Wordpress.net.in Doorway

      Dec 24, 2007http://www.wordpress.net.in/mentors/alxumuk/

      Backdoor Files

      inside wp-includes directory.

      • compat.php - (replace with latest version)
      • class-mail.php delete

      scan & removes all backdoor files and create a .htaccess file inside wp-includes & wp-content/plugins. Then add the following code to disabled directory listing (prevent informations leak & Directory search index).

      Options -Indexes

      Wordpress.net.in New Partner

      Feb 23th 2008, We found a similar signature like wordpress.net.in at qwetro.com (germany). Probably from the same attacker with different agenda.

      Related Posts

      External Links

      Short URL

      Bookmarks

16 Responses to “How to Remove Wordpress.net.in Spam Injection”

    • Kako odstraniš spam linke na blogu - afroarticles.com | had's photo had.si
    • RE: How to Remove Wordpress.net.in Spam Injection
      5 months, 1 week ago on December 13th, 2007 at 6:21 pm 3 url · microId
      1

      [...] na enak problem, vendar o?itno jih je zelo malo rešilo vse skupaj. Ampak Google dela ?udeže: How to Removed Wordpress.net.in Spam Injection Infected by ‘Goro’ Spam class-mail.php Backdoor In rešitev je [...]

    • Patricia Lucero's photo Patricia Lucero
    • RE: How to Remove Wordpress.net.in Spam Injection
      3 weeks, 3 days ago on April 27th, 2008 at 12:11 pm 3 url · microId
      14

      Si fueran tan amables en ayudarme a limpiar file infectados los cuales son bastantaes , su programa es interesante aprenderlo pero no soy experta en esto.

      Me podrian ayudar en esto se los agradeceria enormemente .

      gracias
      Sinceramente
      Patricia

    • Avice De’veréux's photo Avice De'veréux
    • RE: How to Remove Wordpress.net.in Spam Injection
      2 weeks, 5 days ago on May 2nd, 2008 at 3:03 am 3 url · microId
      16

      there is two version of goro spams.

      1. the first goro used 'javascript' code (embed inside the footer). You can view the spams link if you have no-scripts (ff addons) or javascript disabled..
      2. the latest one is using css to hide the links ( left:-31337px - outside of viewport;) ..
        3. if u stil cant remove the spams link try editing theme>header.php and theme>footer.php find and comment-out 'wp_head()' and 'wp_footer()' for temporary (this will also disabled any plugins and widget that depend on this hook)..

Have your say

  • Hint: Write as if you were talking to a good friend (in front of your mother).

Disclaimer: For any content that you post, you hereby grant to Kakkoi the royalty-free, irrevocable, perpetual, exclusive and fully sublicensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content in whole or in part, world-wide and to incorporate it in other works, in any form, media or technology now known or later developed. Some rights reserved.