June 20, 2008

Danilo apologizes for writing the 2nd post on AG that hammers REALTOR.com…

…in two days and it reminded me that I’m about to hammer into REALTOR.com for the 2nd time in a short-while… but I dont’ expect to appoligize at the end… 😉

Today’s beef?

The realtor.com team managing their blog platform is acting reckless.

Here’s the background: Last week, I let the realtor.com team know that Trace at BrokerScience had found some prett bad spam was filtering into a feed of their main blog: Let’s Talk. I know they received my message because I received both notes and calls from the team thanking me. (Trace was not so lucky in terms of getting feedback). Plus, at some point last week, they removed the spam from all their existing posts. So far, so good.

Then today, I noticed that two recent posts on their feed are still spewing out spam (to sites selling Viagra, vicodin, tramadol, etc.). Here’s a screenshot from my reader to give you an idea:

$spam links from realtor.com\'s feed$

This is a BIG deal because it means that even after the realtor.com blog platform learned that their platform was compremised (i.e. someone had hacked into their system), they kept the site up in a compremised mode that allowed those same hackers to return and insert more spam links into their posts.

Here’s some more background on this particular hack. In the past 6 months, I’ve seen two other blogs have this SAME issue and each time I’ve written a personal note to the host. Yet, I’ve purposefully never blogged about any of these sites getting hacked because I’m afraid that some people will mistakenly blame the WordPress platform. The reality is that in every case the host had not upgrade to the latest stable version of the software and when they did upgrade, the problem went away.

I honestly don’t have a problem with a host that is running an old version of the software and gets hacked as a result (Been there and learned from that). What frustrates me in this case is that the realtor.com team knew their site was hacked, but rather than upgrade to the latest version of the software, they left a compromised site live. That’s just reckless… especially since there are more than a few ways to automate the process…

Real Estate Technology

feed, hack, links, process, Realtor.com, spam, wordpress

22 responses

Benn

June 20, 2008

We found this same issue on our company site this morning, you have to go back into the post and remove it. We’ll see if it stays gone. We’re currently auditing every post in the history of our blogs.

I now also know we have the same problem in a post at Ag and we’re working to remove it today as well as any possible backdoors.

This is a wordpress issue that we’re attempting to isolate as I am nearly postive that any site with any relivance is having this problem.

What we’re looking at are any spam comments that appear repetitively in any older post. You delete and within a day it reappears. This is the update of the spam. Our site designer for Ag noted a similar issue last week which tells me this is not isolated.

And for the record, we are completely upgraded to the new version of wordpress, however, as I said, these are older posts where the reappearance takes place, however, the spam comments continue to reappear in akismet even with a blocked ip.

Accusing anyone of being hacked is shortsighted, because even if you’ve updated, the spam is still in place and being updated.

I suggest that folks actually cick through from akismet to examine the post from your blog, from there, view the source. If you find it to have spam inside of the post, edit out the spam directly from the post, block the ip and check that post.

Regards,

PS Danilo’s post was sincere enough, and I hope the great folks are realtor.com take something postive from it. We do our very best to offer something positive when we point out negatives- that isn’t always easy in this crazy world.

Reply
diesel12

June 20, 2008

What would happen if Trulia allowed their site to be hacked, allowed the site to remain hacked 36 hours after being notified, took the site down for 17 hours and then didn’t update their blog posts for two weeks…..? What if they didn’t communicate with the community and then ignored the issue……without updating the community about the safety of personal data and addressing community concerns about the hack ? It would be WWIII on Trulia….. Any one of the above factors is worthy of a front page story… all of them together is a clear indicator that there is no leadership on the Realtor.com team…. at real companies people lose their job over any one of those issues…. end of story.

Reply
Dustin

June 20, 2008

Benn:

That’s fascinating. But it seems like we’re talking about two different issues.

You’re talking about spam comments and things that *should* be blocked by Akismet… Not sure why.

The problem I’m seeing is code inserted directly into a blog post. Is that happening on Agent Genius?

Reply
Benn

June 20, 2008

In a very old post we had a repeat spam that kept hitting akismet (last week), so I clicked through because the ip had been blocked before. I clicked through to actually view the post of the offender, viewed the source, and there was the code for the html for what appears in the RSS as spam.

This update to this old post happened last week. I figured it was isolated until I started digging around the net and I’m seeing this as an emerging issue, but the problem is, everyone thinks it’s isolated and aren’t talking about it.

Now that I know what I’m looking at, I will document it going forward in order to reproduce it for the folks at wordpress and bloggers alike.

If I’m still not clear, feel free to call, but I do believe this is a problem with the previous version of wp and the vulnerability they’ve been discussing over the past week that is still haunting posts posted when the previous version was the active engine. In other words, its a Trojan.

Reply
Dustin

June 20, 2008

Benn,

I think we’re much closer to being on the same page now… As I mentioned in the post, I’ve seen this spam on a few different blogs and I wouldn’t be surprised if you could find it on many more. My point is that IF you upgrade to the latest version, then the spammer will not be able to continue hitting your new posts with this same spam. Of course, just upgrading won’t delete the old spam links that they inserted into your post since it has already become part of a post.

However, if you do not upgrade, then your latest posts (as in two posts from the realtor.com blog written in the past three days) are susceptible to having this same person insert spam into your articles!

As I said in the post, I don’t have an issue with hosts getting caught with this type of hack on their site because they were using an old version of WordPress. It happens and it’s happened to me. What bugged me was that the realtor.com people KNEW they had this problem, did not upgrade and kept the site live anyway. The result is that when they publish posts that are infected (at least two recently) they are helping this spammer feed his crappy links all over the web.

Reply
Bill Lublin

June 20, 2008

Dustin; It seems that REALTOR.com is being perceived as a bad guy instead of a victim. I’m not a huge REALTOR.com booster, but it would seem to me that the most they can be criticized for is not ebing as good at fixing it as someone else might be.

@diesel12 I think the reaction would be the same. They would attempt to fix. If it went away, that would be the end of it. If the fix didn’t work, they would need to do it again and someone would comment on it. Zillow and realtor.com are two xommercial ventures – they aren’t individuals who function by different rules -they are businesses that do the best they can, and fnction at varying levels of efficiency.

Reply
Benn

June 20, 2008

Well, to play the devils advocate here on this one, the question becomes are they upgraded or not at this point, because what I suspect is what is being discussed lately in the wp circle is a that a backdoor can be placed that the new version does not remove. wp sent out a letter last week advising all to investigate every single *php you have even those of your plugins for any malicious code that would allow repeats.

I bring this up because you and I both know how complicated that can be, especially sophisticated sites.

So if we can learn what engine they’re running, we’ll know how bad this actually could be for many large sites pimping the wp engine.

Reply
Dustin

June 20, 2008

I checked their site because some themes display the WP version in the html source, but they don’t list it… 🙁

(It’s a good idea *not* to list it, by the way, since if you do stop updating your site, then you don’t want to let everyone know that it!)

Reply
Dustin

June 20, 2008

Bill: If they upgraded their site then I’d agree with you that they are the victim… but I’m still pretty darn sure that they did not upgrade. And if they didn’t upgrade but kept the site live, then that is just irresponsible… and they are no longer the victim.

As I said before, I’ve seen two other sites have this problem (and AG says they had this problem) that stopped occurring when the host upgraded the site. I’ve never seen an example where someone upgraded and continued to have this hole in their security.

Reply
Benn

June 20, 2008

The vulner is exposed via search string in google from what I’ve read, so you’re exposed whether you outwardly expose your version or not. The idea of a trojan/or backdoor vulner was discussed last week at wp. I’m sort of between gigs here right now, I’ll locate some docs later and paste the links.

Being hacked is no ones sin but the hacker, and I’m not sure which is more destructive to a site, taking it offline, or having a few links that make you look silly, but either way- I would never go so far as to blame the victim which is why we didn’t hammer this subject when it was first seen.

PS this isn’t really hacking- HACK THE PLANET. l337 sure brings back memories…

Reply
Trace

June 20, 2008

Ooops, I’m diesel12 above….

To clarify: the issue was not comment spam, it was injection of links into posts…..

@Bill: Realtor.com is and should be considered the bad guy. They have refused to communicate with their community or address the issue and let’s not forget the problem is not fixed!!!! Once daily posts have halted for the past TWO WEEKS! They also took a day and a half from when I first notified them they were hacked to fix the problem. That is a day and a half that user data may or may not have been compromised.

This is not about making mistakes or being a victim of a hack. These things happen, how they are dealt with is the issue.

While it is likely that user data was not compromised, any responsible community builder (let alone for profit entity that charges dues) communicates with its community and let’s users know what happened, how it happened, what the consequences are (if any) and what is being done to prevent the issue in the future….. this prevents users from hearing about such issues form third party sources which creates distrust among your user base…. not addressing the issue is nothing short of reckless and irresponsible.

Realtor.com takes in millions upon millions of dollars from Realtors, operates one of the largest real estate portals in the world and when they are unable to exercise responsibility in upgrading their website (if that was the issue…. again, no communication means we are forced to guess), we are questioning whether or not it is ok to take them to task for it? Raise your hand if you were able to upgrade your wordpress installation without a million dollar salary.

Realtor.com has managed to send me a C & D letter since my post, but can’t send a simple note to its community assuring them that the situation is under control, let alone notify them that there was an issue…. I’m supposed to be on vacation but will be posting on C & D later…. it is rich …..

http://www.google.com/search?hl=en&q=site%3Atalk.realtor.com+viagra&btnG=Google+Search

Reply
Benn

June 20, 2008

to clarify, I wasn’t saying that was the outcome in which I was speaking of, it was the way in which we identified what was happening. thx

Reply
Benn

June 20, 2008

“Realtors, operates one of the largest real estate portals in the world and when they are unable to exercise responsibility in upgrading their website”

Realtor.com is not run on wordpress, user identification on realtor.com hasn’t been proven to have been compromised, a wordpress blog with a known vulner is the problem. This isn’t credit cards and social security numbers we’re talking about here.

Unless you are reporting as fact that Realtor.com has in fact been hacked and user records have been breached? I’m unclear.

Reply
Dustin

June 20, 2008

Benn:

You make a very good point. The only element that has been compromised (as far as I can tell) was a single blog hosted at http://talk.realtor.com.

Reply
Dustin

June 20, 2008

Trace: Somehow I missed your comment the first time. It should be interesting to read your post about the C&D letter.

Reply
toddwcarpenter

June 20, 2008

Isn’t the blog in question a WordPress MU sight? I’m not sure if thate makes a difference or not.

Anyway, I agree with Trace that this is noteworthy. The main reason is that REALTOR.com is in the “business” of hosting blogs for real estate agents.

Even if they are offering them for free, we all know that blogs are not free. Nobody want to put a bunch of work into something that might eventually embarrass them.

For every agent that associates their name with one of these blogs, I would think it would be important to know how competent or dedicated the guys running the network are.

People get hacked, that’s not news. What they do once they’ve been hacked is newsworthy, especially when they are also responsible for protecting hundreds of other professionals from a similar fate.

Reply
Danilo Bogdanovic

June 20, 2008

With so much money and so many resources at their disposal, it’s sad that someone like you or me can fix the issue faster and better than them.

Thanks for noticing the post. (And I’m not THAT sorry)

Reply
Dustin

June 20, 2008

Thanks for for stopping by Todd and Danilo…

Todd: I obviously agree with your last sentiment. It’s not the hacking that’s news, it’s what they did afterward that’s news.

and Danilo… I suspected you weren’t too sorry. 😉

Reply
Trace

June 20, 2008

@Benn: talk.realtor.com is based on WordPress MU. To clarify, the the Realtor.com blog was hacked…. talk.realtor.com, sorry if that was not clear. There were multiple posts that were affected…. and have since been removed.

There was spam injected into posts, this could be from caused by many things, all of which we are forced to speculate about…. was the server breached? was it a faulty plugin? was personal data compromised? That’s the point…. we don’t know. whether or not the information that might have been compromised is information like a social or the like is irrelevant…. there is a responsibility in guarding ANY personal data…. and at this point, there may have been no compromised data or extensive data compromised…. nobody knows and that is exactly the point, when something happens there is a responsibility to keep the community informed…. it’s good for both parties.

Reply
Benn

June 21, 2008

“@Benn: talk.realtor.com is based on WordPress MU. To clarify, the the Realtor.com blog was hacked…. talk.realtor.com, sorry if that was not clear. There were multiple posts that were affected…. and have since been removed.”

🙂

“There was spam injected into posts, this could be from caused by many things, all of which we are forced to speculate about…. was the server breached? was it a faulty plugin? was personal data compromised? That’s the point….”

We 1000% agree here and I wish we knew more because the problem they are facing, we’re all exposed too as well – as we all use the same engine.

“is a responsibility to keep the community informed…. it’s good for both parties.”

I do not have an account with talk.realtor.com to write on this blog nor does it appear any other agents do either- I could be missing something here, but here is why I see a problem:

talk.realtor.com is a directory (where the breaches took place) that has closed comments and does not appear to actually host contributors- it simply links out to:

*.featuredblog.com

so talk.realtor.com allows you to feedreader all of the content on a dialy basis writen on each individual featuredblog.com accounts and is actually a pretty neat form of daily directory of posts – this was compromised, and there are no outside user accounts- which from a security standpoint makes sense.

*.featuredblog.com/ appears to be subdomained user accounts hosted seperately from one another- non-multi-user, which would mean nothing has been exposed?

So, if anything, they could communicate with us what engine they’re running and a fix they dream up for the the problem on talk.realtor.com , but it appears to me that the priority data to protect is fine on individual.featuredblog.com?

Reply
Dustin

June 21, 2008

Trace and Benn,

You guys are both hitting the right questions and, while I know the answers to some of the issues, I’m honestly not sure what is appropriate to make public, so I’m being quiet in terms of the actual technologies being used by the various domains… other than to say it is definitely a wordpress backend since I made that public on numerous occasions when I worked at Move (and helped design the original implementation of the platform). Nonetheless, the questions you both are raising are extremely valid and, in my opinion, deserve answers.

Reply
Kevin Tomlinson

June 23, 2008

I love Vicodin.

Please send.

I want—more than real estate, anyway.

Reply