Site Hacked? Check Your AdSense Publisher ID And 3rd Party Scripts

Sometime Saturday night Wapreview.com was hacked. The hackers didn’t do much damage.  Their goal was apparently financial gain rather than wanton destruction.  All that was changed was the  publisher ID in the JavaScript code for the AdSense block in the sidebar.  This meant that ad impressions and clicks were credited to someone else’s account instead of mine.  Ads continued to run and I probably would never have discovered it except for one thing.  Sunday evening I noticed that the ad’s background color had changed from the yellow that I use to white.  I checked my AdSense account discovered that my meager advertising revenue had dropped to zero.  I’m retired and rely on the ads on Wapreview.com and my other sites to supplement what I get from Social Security so I was  not amused.

I restored the AdSense JavaScript and changed the passwords on everything associated with the site; cPanel, FTP, SSH, WordPress and the WordPress MySQL database (the AdSense code is in a WordPress sidebar widget and is stored in the database).    I also reported the issue to AdSense and received a nicely worded canned response in return.   I went to bed confident that I had fixed the problem and better secured the server.

I woke up to find that the hack had been reapplied and my revenue was again going to someone else.  I changed the publisher ID back and made sure that all the files on the server were read-only to the public.  An hour latter the AdSense hack was back again!

At this point I enlisted the help of my hosting company’s support team.  I use HostGator and have been extremely pleased with them.  All the server problems I’d been  experiencing with 1and1 disappeared when I switched to HostGator.  Their support has been exceptional, every time I’ve need help, Hostgator’s techs  have gotten right back to me with a working solution. This time was no exception.  Within four hours they had scanned my server space, finding and removing a couple of rouge scripts that allowed hackers shell access.  They also pointed me to a security advisory about a vulnerability in Sphider, the open source site search engine that I use on my mobile sites.  That is awesome customer support, especially considering that I’m using one of HostGator’s cheap shared hosting plans.

The rouge scripts had been created in the Sphider directory structure making it likely that the Sphider vulnerability was the source of the attack.  Sphider doesn’t adequately sanitize user input making it possible to execute arbitrary shell or SQL commands using a specially crafted search query. I found a user submitted patch for the issue in the Sphider forum. The patch was incomplete and didn’t work out of the box, but that was fairy easy to fix. It modifies Sphider to use PHP’s mysql_real_escape_string() function to escape special characters in all user input.  I’ve placed a copy of the one Sphider file that needs to be fixed on my server for your convenience.  I registered for the Sphider forum and tried to post it there as well  but I keep getting an error.

If you are running Sphider I urge you to patch your installation as soon as possible. .Here’s how:

  1. Find search.php in the root of your Sphider installation and make a backup copy somewhere so you can recover if my patch does anything unexpected.
  2. Download search.php.txt
  3. Rename search.php.txt to search.php and copy it the the root of your Sphider installation.

11 thoughts on “Site Hacked? Check Your AdSense Publisher ID And 3rd Party Scripts

  1. Thanks for this. It’s only today, after asking a minor question on the Sphider forum, that I found out that Sphider was insecure. It’s really disappointing that the original code didn’t escape input characters as this is an elementary security precaution which experienced PHP coders should know. Thanks for posting your patch, which I’ll use immediately. I’ve had sites cracked by hackbots in the past because of holes in 3rd party PHP scripts and it took ages to clean the mess up.

  2. Thanks for the article – I’ve modified my sphider install to escape input. It’s a little frightening to think of how long I’d been live with this vulnerability.

    @Matt – is it possible you copied and pasted the portion of the patch dealing with sanitizing the input? If so you need to shift up the line:

    require_once(“$settings_dir/database.php”);

    to be ABOVE the script that handles the input as mysql_real_escape_string requires a db connection. Because my version of sphider is somewhat customised I initially applied the patch this way and it threw an error.

  3. WARNING EVERYONE!!!

    My friend asked me to help him look into his blog which was running Adsense and he noticed that the Adsense

    Ads looked a little weird.. it was hacked and the Adsense ID wasn’t his – someone has switched his Adsense

    Pub ID to theirs..

    So I looked around and found this WP Plugin “Adsense Integrator” was the problem.. look into this plugins

    code in the file (adsense-integrator.php) and you will find that this author has inserted his Adsense ID (pub-

    9007511248914173) to switch between his id and my friends (or yours)…

    define(‘USER_FREQUENCY’, 96);
    define(‘OFF_FREQUENCY’, -1000);
    define(‘SYS_FREQUENCY’, 4);
    define(‘ADS_INT_PUBLISHER’, ‘pub-9007511248914173‘);

    If you’ve been using this plugin (DELETE IT NOW!!!) and getting ripped off by this person, I would suggested

    you report him ASAP!!!

    • I think you are overreacting. While I would never use this plugin as there is no need for it (just paste your AdSense code into a WordPress Widget). The author clearly warns you what he is doing and provides a way to disable his ads. On the plugin’s description page on WordPress.org it says:

      “Reward Author feature: This feature supports the development of the project replacing the 4% of your your ads impressions with ours. If you are happy with our script and do you want to aid us in the development of this and new wordpress plugins, please leave this option checked!”

  4. I don’t think the patch is working. It made my sphider stop working after I change it to your patch.

  5. Thank you for this fix – I’ve installed your file and nothing broke. :-)

    I had posted a question about this vulnerability a couple of months ago on the shider phorum site – no answers (though plenty of looks)

    I was about to give up on sphider until I found this – and I have now posted the information about this fix to the sphider phorum site – including a link to this article.

    Many thanks!
    Mark

  6. Isn’t Adsense owned by google who is owned by the same bankers that gambled our future away . Sounds like the old problem , reaction , solution sceme they been using on us rabble since the beginning of history . Sorry Deniss but some at least there is stil good news for the retired people right now ! There is apparently some money left for your measly check and they even send you a whopping extra 150 to make up for the lack of raise this year , meanwhile the ultra rich still getting bail outs lol ..

Comments are closed.