So, the other day I noticed that my usually very lonely blog was getting a lot of traffic… My wordpress dashboard showed a spike in visits. After a bit of poking around the stats I found something odd in the “search terms”. Most search terms are not provided on inbound clicks these days, so the vast majority are unknown, but here is a short list of search terms that were recorded:
- jijjiirraa barsiisotaa
- two sure for mark 2 today
- sipa gasy manja ty lelena
- games java waps itel keypad java waps
- sermon on overcoming delays in life dr paul eneunch
- baba ijebu key fairchance
- meaning of ibi in okun land
- iwulo imunmuna
- how to install apps on itel it9210 keypad phone
OK… According to Google translate’s auto detect there are Malagasy (Madagascar) and Yoruba (West African). Dr. Paul Eneunch is a pastor at a church in Nigeria. Itel is a Hong Kong based manufacturer of low cost mobile phones, if you search it a bunch of links to African operators and distributors come up. Two Sure is a Nigerian lottery. I’m seeing a pattern here… WTF?
A bit of poking around on the server and I located a bunch of garbage directories filled with binary junk, no readable text, in my wp-includes folder.
Searching for “site:confusion.cc wp-includes” on Google returned a bunch of links:
Nothing African on this list, but these are not things I posted on Confusion… But there were almost three thousands results. I did a quick scan of the first few pages of results, they were all over the place. I did not click on any of them (I should have take a few screenshots). I’m guessing it was someone making money on adverts.
So I did a full rip and replace on Confusion. Rebuilt the whole server from a backup, updated everything, new passwords, verify WordPress was properly hardened… I never found anything specific in the logs or other data. I didn’t find any reports of specific vulnerabilities in any of the software. Not sure how they got it.
Maybe I should have tried to find a way to trace the ad account, I’m sure there would have been a key in the page for Google or some other ad network but I didn’t think of it before I terminated the whole VM.