Blog seems to have been hacked?

Issue #1740 resolved
Kevin Read
created an issue

I already wrote this to the google group, but as it might have a security impact I'll post again here. seems to have been hacked. Look at the google cache page here: (incidentially, this is also the first hit for the search term "Its software licenses through coupon description. Most new Adobe OnLocation CS4".

Somehow this SEO spam page is shown in my stock FF 3.5, Ubuntu 9.10. Chrome on the same system will display the blog front page.

I have dropped a stripped-down packet dump of visiting the page with both browsers at

Please look into this immediately. If the blog was somehow hacked, this might have enabled access to other databases.

Best regards,


Comments (3)

  1. Kevin Read reporter

    This is from "Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8"

    Today, the page seems to be ok even in my browser. If I set my user-agent to "Mozilla/5.0 (compatible; Googlebot/2.1; +" with the Tamper Date FF extension, I get the spam page again. Seems like a hack specifically targeted towards non-intrusive and hence nicely invisible SEO spam, only showing the spam page when the UA looks like a search engine.

    If you find the customized WP files, I would be highly interested in doing an analysis of the hack, if you can spare the time. A quick google search didn't show anything like that, it might be interesting to the security community.

    If you are looking for a nice django-based blogging engine, byteflow ( has worked quite nicely for me ( runs byteflow). If you want to look into the admin interface, drop me a mail and I'll set up a guest account for you.

  2. Log in to comment