I’m not exactly sure how the account was compromised, and I’d hate to point fingers without knowing. Could’ve been either of the two popular blogging software applications that are installed. Or it could’ve been a hack to the server in general. After some digging and some Googling, it turned out someone else had the exact same problem. A hidden directory was including a PHP file that was in turn including a .txt file filled with SEO spam and inserting it by IP address to most of my domains. I quickly deleted these files, but the links were still there.

The baffling part was that when opening any of the compromised files, the links weren’t in the source. Grepp’ing for the spam had it showing up in multiple files, but opening the file to edit showed nothing, leaving me to believe that the links were being dynamically inserted somehow. It took a helpful tech support agent to show me I’d fallen for one of the oldest tricks in the book: the huge block of spam links was just indented a ridiculous amount. I hadn’t noticed the horizontal scrollbar at the bottom of the text editor, and sure enough scrolling over approximately 10,367 pixels to the right, there the spam was.

So after cleaning up 20 or so index files, changing passwords and updating software, all seems well again. If you run into link spam, and the usual fixes don’t help, check your logs for suspicious .txt includes, and beware of the “massive indent”.