October 31, 2014

Is the WordPress SEO-Slugs Plugin Hacked Or What?

I noticed something very odd in my blog logs today: Lots of requests for things I never wrote! I was getting hundreds of requests for “Christiano Ronaldo 2012 Boots” and other nonsense. A quick search revealed hundreds of links to my site promoting wallpaper images that I don’t host, all running through a disused WordPress plugin. I deleted the file, and couldn’t find any hack or intrusion, but I’m still wondering what exactly was going on here!

If you arrived on this page looking for a wallpaper image, you clicked through a site that included this hack. You’ll see the URL you clicked in the URL above after the “#!” part. I don’t have any such content, so you might as well go somewhere else, unless you care to read on regarding this puzzling hack!

SEO Slugs Injected Content On My 404 Page?

The issue lay with an old plugin I used to use called “SEO Slugs“. It removed “stop words” from the “slug” or URL of a blog post – things like “the” and “a” that search engines don’t want or need. I de-activated this plugin a while ago, and it appears it doesn’t work with modern versions of WordPress anyway. But I left the files around, a bad idea to be sure.

One annoying aspect of the WordPress plugin architecture is that even deactivated plugins can be called by name and executed. This was the root of the Timthumb exploit I wrote about in January, and remains true for all others. In this case, the URLs went directly to this plugin, since they all contained the prefix, “/wp-content/plugins/seo-slugs/”.

Somehow, by feeding this plugin a string, text and images would be added at the end of “the loop” from some unknown source. So my site returned my standard 404 page, but with a news report dropped into the sidebar you see at right. In the case of Christiano Ronaldo, it included a few paragraphs with text, too!

I was really concerned at first that my blog really had been compromised. I quickly too remedial action, changing my passwords and salts. Next, I checked my database manually using SQL queries and my filesystem using grep. But I didn’t find any “bad content” in my database or my filesystem. It appears that my site wasn’t compromised at all, fortunately.

What Happened Here?

I’m really puzzled, honestly. I can’t find any reference to a known hack of this plugin, and yet there are hundreds of references to my blog out there. Somewhere, a bot or spammer is filling sites with links to alleged jpeg files of various pop culture figures that all call my blog. Yet I don’t host this content!

I don’t see what benefit the spammer gets from all this. Sure, I’ve got a high-PageRank site. But this doesn’t appear to be a PageRank scam. Casual visitors to my site would never see this content (they have to hit a weird URL I would never link to) so it’s not typical spam. They’re not even freeloading on my server CPU and network bandwidth!

Stephen’s Stance

I guess it pays to delete disused plugins, something I’ve now done. But I’m still puzzled by all this, and I welcome comments or suggestions. Where’s the benefit for the perpetrator? Is there some nasty rock I haven’t turned over?