I spent yesterday cleaning up some awful link spam that littered several of the domains I own. Some crafty fellow had stuffed hidden links to illegal MP3 sites in the footer of as many index files as they could find. I thought it’d be a good idea to document it in case anyone else runs into the same dilemma. Plus, hey, an excuse to write a multi-paragraph entry. Go me.
I’m not exactly sure _how_ the account was compromised, and I’d hate to point fingers without knowing. Could’ve been either of the two popular blogging software applications that are installed. Or it could’ve been a hack to the server in general. After some digging and some Googling, it turned out someone else had the exact same problem. A hidden directory was including a PHP file that was in turn including a
.txt file filled with SEO spam and inserting it by IP address to most of my domains. I quickly deleted these files, but the links were still there.
The baffling part was that when opening any of the compromised files, the links weren’t in the source. Grepp’ing for the spam had it showing up in multiple files, but opening the file to edit showed nothing, leaving me to believe that the links were being dynamically inserted somehow. It took a helpful tech support agent to show me I’d fallen for one of the oldest tricks in the book: the huge block of spam links was just _indented_ a ridiculous amount. I hadn’t noticed the horizontal scrollbar at the bottom of the text editor, and sure enough scrolling over approximately 10,367 pixels to the right, there the spam was.
So after cleaning up 20 or so index files, changing passwords and updating software, all seems well again. If you run into link spam, and the usual fixes don’t help, check your logs for suspicious
.txt includes, and beware of the “massive indent”.