jordswart.org

Home of a content challenger

StopBadware.org replies

Yesterday I received an email from stopbadware.org. They reviewed my site and found no problems anymore:

Google’s most recent test of your website found no badware behaviors on the site.  As such, the Google warning page for your site has either already been removed or should be removed shortly.  In addition, if your site has been listed in our Badware Website Clearinghouse, we will remove your site from the Clearinghouse list.

So far so good, a bit late maybe since my site has been unblocked since about a week. However the last paragraph of the email reads:

Please note that we will be retesting your website at periodic intervals in order to monitor that it remains free from badware. If we find that you are hosting or distributing badware in the future, the reviews process may take considerably longer than the original review.

Now this really made me laugh. The next review process might take even longer? Due to the lack of information provided by stopbadware.org and Google, my site has been marked as a badware site for approximately 2 and half weeks. It took stopbadware.org another week to review my site, after Google found it was clean. But when I get hacked again, it even might take them longer to respond than they already needed?

Considering the cooperation between firefox and stopbadware.org I might have to switch to Opera, or god help me, even Internet Explorer.

Blocked by Google

On February the 5th WordPress released version 2.3.3 of their blog software. This release fixed the following issue:

WordPress 2.3.3 is an urgent security release. If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog.

On February the 10th I applied the version 2.3.3 to my site.

Three days later Ubuntu Hardy installed the new firefox 3.0 beta. This version of Firefox works very closely with stopbadware.org to prevent users from accessing malware or badware sites. I found this feature when I used Firefox to visit my own site. I was informed of the fact that my site actively distributes or promotes malware and Firefox will not allow access to it. Disabling one of the security features in Firefox restored the access to my site. I instantly understood that my site was hacked  (again) in the last couple of days.

Trying to find out what was going on I read a lot of information on the stopbadware.org pages. Stopbadware.org is founded by Google so it is not surprising they use Google techniques to decide which sites are badware (or malware). A google search for my site today gives the following result (I also tried the same search on Yahoo, MSN and ASK.COM. Those engines have no problem with my site since they do not try to block access to malware sites):

Jordswart.org Malware?

Doing some more research I found that Google’s webmaster tools will give me an option to let Google do a review of my site. The bad thing I found was that Google does not tell you what is wrong with your site. They only state that there is something wrong. This makes it very hard to debug the site and fix the problem. I ended up going through all the pages and have a look at the source of each.

I found two hidden links. The links were hidden in <noscript> tags, so they were not accessible for the visitors of my webpage, they were just there for search engines to enjoy (I guess the person who inserted the links hopes to gain more attention if his site gets linked to a lot). So I removed the links, did some queries on my database and decided my site was completely clean. Then I asked Google to re-evaluate my site.
(more…)

Site got hacked

Update 20-02-2008:

Google does not allow this content here. Because the original text holds the name of the domain providing the advertisement, Google decided my site linked advertisement. Effectively Google is censoring my webpage and blogging about malware now seems to be impossible.

So the site got hacked. My nice little site was turned into a spam site for ‘mobile ring tones’. Ring tones are not something I would normally write about. So here is the information I could find about the whole event.

First thing to note: I was running on WordPress 2.2.1. The current WordPress version at this time of writing is 2.3.1, so the first thing I will do after creating this post is update to that version.

The posts include a couple of links: original text censored by Google (I had to remove the name of the site, let’s pretend it was an info site about some ringtones-top). If I go to that link it tells me that the offer is not available in my region and it redirects me to (finally) a company called original text censored by Google (again posting this name puts me in danger of being marked as a malware site, it was a company called perfspot). For completeness sake, I will include the result of whois for both websites:

Domain ID:D20274359-LRMS
Domain Name: censored by Google
Created On:17-Oct-2007 12:13:32 UTC
Last Updated On:17-Oct-2007 13:08:31 UTC
Expiration Date:17-Oct-2008 12:13:32 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:TRANSFER PROHIBITED
Registrant ID:A73F200DAE57EC01
Registrant Name:WhoisGuard Protected
Registrant Organization:WhoisGuard
Registrant Street1:8939 S. Sepulveda Blvd. #110 –
Registrant Street2:732
Registrant Street3:
Registrant City:Westchester
Registrant State/Province:CA
Registrant Postal Code:90045
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:[email protected]

AND:

censored by Google
1275 W. Washington St.
Tempe, AZ 85281
US

Registrar: DOTSTER
Domain Name: censored by Google
Created on: 14-AUG-06
Expires on: 14-AUG-08
Last Updated on: 28-JUN-07

Administrative, Technical Contact:
,censored by Google [email protected]censored by Google
censored by Google
1275 W. Washington St.
Tempe, AZ 85281
US
888-311-7373

It seems that not every registrant at whoisguard.com is just avoiding spam here…

So let’s search google for this issue. A combination of censored by Google and wordpress shows there is indeed an issue with the version of wordpress I am using.

Seems the spammers used a bug in theme.php and feed.php. My logfiles only last 6 days so I will probably not be able to find out who has been posting the stuff 🙁