I may have inadvertently set the access parameters to deny access to all but my own IP Addresses last night, so you may have found this site to be “forbidden” over the past 12 hours. I was following a security suggestion on a site with follow-up advice for cleaning up after the Pharma hack, and it may have locked everyone outside of my own IP address out of the site. Hopefully we’re back on now.
Here’s what happened. Apparently, the spammers have taken things to the next level. First, it was trackback spam–spammers pretending like they were referring to poasts posts on my site in hopes of getting their sited link on a “top ten trackback” list. IIRC, they were the main reason people stopped using those lists. Next, it was spam comments filled with links to their spam sites, including attempts to get smarter with contextual spam. That got fought off with spam filters. After that, it was referral spam, in which they pretended to refer people to my site via links on theirs, thus making the top-referrer lists (again making such lists unpopular). Then it was splogs, stealing content from genuine sites to attract attention to their own. Then a resurgence of comment spam which forced me to change platforms.
For the past few years, though, everything was fairly quiet on the spam front; comment spam was controlled by Akismet, trackbacks are long history, and I stopped caring much about referral stats or splogs.
And then Matthew noted in the comments that something was weird about my site on Google.
If you do a Google search for “BlogD,” he pointed out, my site came up–but instead of reading as normal, it seemed instead to be a site selling drugs. The Google result made even the name of my blog seem like a spam banner, and the content full of pharma ads. Now, if you clicked on the link to my actual blog, you’d be taken here, which would be perfectly normal. But if you clicked on the cached site, you’d see something like this:
That’s not just for the plain “BlogD” search, but for a search for any content on my site–the above result was from a search for “ Softbank iPhone 4,” for which I am high on Google’s results. In short, it seems that most if not all of my listings on Google are currently like this, and I’ll have to wait for the crap to cycle out.
The weird thing is, my actual site is completely unaffected, at least on the surface. But it is as if Google is seeing an alternate-universe version of my site, choked with spam. Interestingly, in the cached site on Google, most links are normal and point back to my site. Even added links–a “Similar Posts” list, which doesn’t exist on my site but is added to the cached page, links back to my site despite the link tags being spammy–but they also added a “Trackbacks” listing, and that’s where you’ll find loads of their links, and the reason they did what they did.
So, what did they do? Apparently, they hacked my site, in what is being called the Pharma Hack or the Google Cloaking Hack, in which the spammers somehow gain access to your WordPress blog (likely through a vulnerability in a plug-in or the blog software itself, I haven’t found anyone who knows how it works yet), and essentially take it over. They hide their code in various files throughout your site, inject code into your database, and then they have their way.
The clever part of it is that on the surface, your blog looks normal–and you won’t know anything is happening until you do a Google search. The hack leaves your site apparently untouched, a smart move as outward changes would prompt immediate corrective action. But you have to remember, the spammers are not as much interested in your site as they are in the Google Juice that it can generate for them. And that’s what this hack is primed to do: harvest all your Google Juice and redirect it to the spammers.
Even as the site looks perfectly normal to you and everyone who visits, when Google’s crawlers come to your site, somehow the hacked parts of your blog make Google see only a heavily spammed version of your site–what shows up in Google’s cache, as shown above.
So in response, I followed the laundry list of advice on the sites reporting it–updated all my software, deleted all plug-ins and reinstalled only a few, checked my database and deleted the hacked portions, as well as a half-dozen other things.
One of them, unfortunately, was an attempt to restrict control of the site via access files, which inadvertently seems to have shut down the site to anyone but myself. I caught this when Ken reported my site down, and corrected it, which should be evident if you’re reading this post.
Alas, the hack often leaves bits of itself in places hard to find, so I will have to keep watching the database to see if re-infection occurs. So far, the hack does not seem to be destructive in nature, just parasitic. But it may be a while before I can feel somewhat confident that the site is clean.
What worries me is what will come next. Trackback, comments, referral, splogs, comments again, and now site hacking. I have to figure it will only keep ramping up.