Security issue, multiple sites (54 posts)

  1. ajparker
    Posted 8 years ago #

    It's really best to make the edit through something like phpmyadmin - login - select your wordpress database, then look for the wp_options table - then browse the table for the active_plugins row (or you could search for plugin) (on mine this option is listed as option id 39 - not sure if this is always the same.) In phpmyadmin you'll have a pencil to the left of the row - this is a link to edit the entry.

    The whole thing looks kind of like this...

    a:19:{i:0;s:35:"TBValidator/trackback_validator.php";i:1;s:35:"adsense-manager/adsen..... etc etc...

    The first two were the suspicious ones in mine - unfortunately I didn't document things as I went - I just deleted from the first i: to the end " after the second rogue plugin. I made sure that the option at the bottom of the page was to save and clicked GO.

    Then I went in and deleted the one file in the themes folder - the other seems to give permission denied still. (Even after a permissions change.) After all of this, I discovered that the edit essentially disabled all plugins - so I re-enabled my legit plugins.

    I don't know enough about the database to know if it would cause the sky to fall to delete the active_plugins key entirely and then run the upgrade.php again to reinitialize - but that might be an easier fix for most if that's safe. (Could someone speak to this?)

    Good luck!

  2. BurstCollective
    Posted 8 years ago #

    okay, I figured a couple things out...

    there's a few strange looking databases in my phpadmin area, most look similar to this :


    and then, inside those, there's RIDICULOUS lines of code filled with all sorts of link bait and queries I've been seeing hit my blog.

    So I'm going to delete them now. I figure I have a backup of te whole database so if I break something I can restore it... but I'm feeling pretty confident here since inside those entries I'm seeing all sorts of evil looking copy and links :

    O:9:"MagpieRSS":17:{s:6:"parser";i:0;s:12:"current_item";a:0:{}s:5:"items";a:1:{i:0;a:3:{s:5:"title";s:16:"No results found";s:11:"description";s:43:"No results were found for http://burst/blog";s:7:"summary";s:43:"No results were found for http://burst/blog";}}s:7:"channel";a:10:{s:9:"generator";s:15:"Technorati v1.0";s:9:"webmaster";s:43:"support@technorati.com (Technorati Support)";s:4:"docs";s:37:"http://blogs.law.harvard.edu/tech/rss";s:3:"ttl";s:2:"60";s:4:"tapi";a:3:{s:6:"result";s:5:"
    ";s:5:"title";s:23:"Technorati Search for: ";s:4:"link";s:17:"http://burst/blog";s:7:"pubdate";s:29:"Thu, 01 Jan 1970 00:00:00 GMT";s:7:"tagline";N;}s:9:"textinput";a:4:{s:5:"title";s:17:"Search Technorati";s:11:"description";s:43:"Search millions of blogs for the latest on:";s:4:"name";s:1:"s";s:4:"link";s:32:"http://technorati.com/search.php";}s:5:"image";a:3:{s:3:"url";s:50:"http://static.technorati.com/pix/logos/logo_sm.gif";s:5:"title";s:15:"Technorati logo";s:4:"link";s:21:"http://technorati.com";}s:9:"feed_type";s:3:"RSS";s:12:"feed_version";s:3:"2.0";s:5:"stack";a:0:{}s:9:"inchannel";b:0;s:6:"initem";b:0;s:9:"incontent";b:0;s:11:"intextinput";b:0;s:7:"inimage";b:0;s:13:"current_field";s:0:"";s:17:"current_namespace";b:0;s:19:"_CONTENT_CONSTRUCTS";a:6:{i:0;s:7:"content";i:1;s:7:"summary";i:2;s:4:"info";i:3;s:5:"title";i:4;s:7:"tagline";i:5;s:9:"copyright";}}
  3. thebes
    Posted 8 years ago #

    FYI, this exploit extends to 1.5.2 as well. Yeah, I know I have blogs that I need to upgrade... sigh.

    I could not find wp-info anywhere, but had several instances of the backdoor code in php files, several _old.jpgg etc, a phantom wordpress() user and it does indeed say its running 2.5... I am having problems getting into phpMyAdmin (probably unrelated), so I can't say for certain what is in there. From the date codes it looks like I was hit twice, one time on the 16th and once on the 25th, IIRC.

  4. ultrasonic
    Posted 8 years ago #

    After almost 12 hours, was able to finally fix the WordPress 2.5.1. "still needs to upgrade to 2.5.1." issue. Most of the suggestions were mentioned already but here are links and steps that might help.


    After upgrading my WordPress version 2.5 to 2.5.1., the dashboard is still telling me that I'm still on version 2.5. That's what brought me to the forums and eventually I found out I have those _new, _old, .pngg.php, .jpgg.ph, etc files in my content directory. So I immediately deleted that. For some reason though I can't find the 'wp-info.txt' file, even while viewing the hidden files (using filezilla).

    This was the most helpful link I got:

    1. http://wordpressphilippines.org/blog/has-your-wordpress-been-hacked-recently/ - read carefully and follow as instructed.

    2. Make sure you delete the phantom "WordPress" user. To instantly check if you have that user, go to your WordPress admin "users" page, enter "WordPress" under Search Users, if you DO NOT get a "No matching users were found!" you definitely have the phantom user in your database. You will notice a weird blank box appearing if you have that user. Another easy way is to Write Post, scroll down to Post Author, if there's an "invisible" author, that's the phantom WordPress user.

    Check the link provided on #1, and delete it by accessing your database.

    3. As mentioned in one of the entries above, look under database wp_options the VALUES 'active_plugins' and 'deactivated_plugins'. It is very likely you will notice a plug-in that's not supposed to be there. Here's what I get in mine:

    i:0;s:117:"../../../../../../../../../../../../../../../../../../../../../../tmp/tmpw6d0cG/sess_dea436 and so on (a very long plug-in entry)

    Remove that entry. If it works, then fine. If it doesn't, you can delete the entire line entry (active_plugins and deactivated_plugins) and WordPress will automatically create new entries BUT MAKE SURE YOU BACKUP FIRST! THIS HAS NOT BEEN VERIFIED TO WORK FOR EVERYONE, but that's what I did on mine and it worked. When I enter the admin page, I just have to re-activate the plug-ins.

    Check your dashboard. You'll read the message: "This is WordPress version 2.5.1.". BACKUP your database immediately to help you against new or missed exploits.

    What I noticed is that removing the offensive files will still give you the false version message in your dashboard. What cleared it are steps #2 and #3.

    I strongly suggest you download the WP Security Scan plug-in (newly updated, just google it). It checks your writable directories as an added insurance that your directories have the correct chmod. If you tend to edit your themes often, don't forget to give them back their original permissions for added security.

    I hope this helps. BACKUP first before trying.

  5. karcher
    Posted 8 years ago #

    ultrasonic, this was a HUGE help.

    I'll be keeping an eye on my db for a while to see if more problems crop up.

    Thanks so much for all the sleuthing.

  6. karcher
    Posted 8 years ago #

    I don't know if this is helpful information to anyone trying to track down the source of this problem, but I'll post it just in case.

    I discovered the hack today when I tried to upgrade from 2.5 to 2.5.1. After following this thread, I found the offending lines of php code in one of my templates, plus all the rest.

    Up until April 19, I was running WP 2.0.4. On April 19, I backed up my entire site in preparation for the move to 2.5.

    I've had a look through that backup. On that date, my template files were OK. So the hack hadn't been triggered yet. However, in my wp-content/uploads folder, there is a file called js.php, dated April 3.

    This file seems to be the one with the payload for the hack. I'm not really a php coder but have enough of a software background to recognize it's not doing nice things, and believe I've found the piece of code that injects the offending line of PHP code into the beginning of people's files. The file makes several references to the following URL http://unurex.cn

    Is there anyone I can send this file to for study? I'm not that familiar with the system around here.


  7. karcher
    Posted 8 years ago #

    Me again.

    After studying the payload file, I would really appreciate someone more competent than me having a look:

    1) To tell me the extent of the damage to my security. What exactly did the hack do and what did the hackers get from me?

    2) To tell me if the steps mentioned by above posters are sufficient for getting rid of it. js.php seems to try to restore the hack, or embed stuff to restore it. It also seems to affect wp-includes/functions.php, or try to, which worries me, because I hadn't seen that mentioned by anyone yet. I'm assuming my update to 2.5.1 clobbered whatever it did to functions.php, but I can't be sure.

    Just tell me who to communicate with to send the file to and I will pass it along.


  8. silverelf
    Posted 8 years ago #

    Hm.. my site got hacked too.. It seems that all the index.htm/index.php files contained in my public_html folders were deleted and switched. I'm using wordpress version 2.5. In additions, index files in subdomains that were locked up were also switched.


    I will be leaving my site the way it is for a while till about two weeks later. Just wondering if anybody experienced security issues with wordpress version 2.5.1 yet? I'm hoping to rebuild my site on a security stable version of wordpress.

  9. blogjam
    Posted 8 years ago #

    ultrasonic: thanks for all your hard work on this - I finally got everything cleaned up on my installation. Much appreciated.

  10. bluedonkey
    Posted 8 years ago #

    I've had a couple of sites hit by this, and spent a while cleaning up the mess. Now that's done, I've been looking at the logs and all the accesses I can find so far for the hacked files are from two IP addresses, both in the same block: and

    The earlier accesses are with the .23 and later ones .79. The block is registered to extendedhost.com in Canada, though there is no website there I can find.

    Will continue to dig a little and see what else I can find.

  11. Ashok Kumar
    Posted 8 years ago #

    I have installed wordpress 2-3 times taking new build from wordpress.org. But after some hours, it get hacked by some person called cesar. Can you please check if there is some loophole that needs to be patched!

    my site URL is http://aksblogger.com


  12. karcher
    Posted 8 years ago #

    As a final clean-up note for your databases, not only should you check your active plugins database entry in wp_options, but in your wp_posts, and wp_postmeta tables, look for the following and delete these entries:

    in wp_posts:
    any post titled rzf.txt (or a filename/title you do not recognize). Make a note of the post_id if you find any of these.

    in wp_postmeta:
    entries that list an attachment for the post_id you noted above. They will have meta_keys of _wp_attached_file and _wp_attachment_metadata and post_ids matching any hidden posts you found above. the meta_value will point to files like rzf.txt, or the bad pngs and jpegs mentioned in prior posts

    I was just doing some extra surveying of my site when I came across these entries I overlooked the first time around. Since I'd cleared the attachments out of uploads already, no extra harm done.

  13. Jingan Eugen
    Posted 8 years ago #

  14. VRocKs
    Posted 7 years ago #

    Crazy hackers...

  15. VRocKs
    Posted 7 years ago #

    Seems to me a hundreds of thousands of wordpress sites got hacked and wordpress doesn't know exactly how it happened.

    I was using the current version each time my site was hacked.

  16. webmasters
    Posted 7 years ago #

    I too have undergone to attack at myself on a blog I have found out the same plug-in only the modified

    source code here

  17. ehabkost
    Posted 7 years ago #

    Hi. Sorry for waking up an old thread. I've just found that that a pre-historic version of wordpress I had online had been compromised too.

    The issue I am seeing is that WordPress 2.7 and even the svn trunk still have the XSS vulnerability that makes the bogus 'WordPress' user disappear from the user list. Maybe it doesn't let users with <script> tags on their names to be created anymore, but the bogus users on the database that were created before the upgrade are still there, but they don't appear on the user list.

    Where should a security issue like this be reported?

  18. Mark
    Posted 7 years ago #

    You can report security issues at


    or via email to:

    security [at] wordpress.org

    Also note that Maximum Security for WordPress helps keep WordPress secure - it helps stop cross-site scripting (XSS) attacks, helps lock down user accounts, and a lot more.

  19. Sebbi
    Posted 7 years ago #

    Bump! Exact same thing happend to my blog on january 29th ... WordPress version 2.7.

    Had a strange plugin (renamed plugin file filled with encrypted (?) php code) in the wp_options table (row with option_name active_plugins) and two new users with admin rights which were not visible in the profile section.

    Suggested fix:
    - wordpress should check for strange new users it doesn't or can't display
    - wordpress should check if activated plugins really are plugins
    - find the leak and finally fix it ;-)

  20. Sebbi
    Posted 7 years ago #

    To clarify, I noticed the hack today, but the date on the malicious php-files was january 29th. This date is also consistent with the massive drop in visitors coming from google since then.

  21. Samuel B

    Posted 7 years ago #

    2.7.1 addresses XSS attacks

  22. guvnrDOTcom
    Posted 7 years ago #

    hopefully this is a useful general security guide too, for casual passer-bys wanting more security...

    Video How-to: 10 Tips To Make WordPress Hack-Proof


  23. atozkidzblog
    Posted 7 years ago #

    I have several blogs but recently I noticed a popup that is not coming from anything I have done on one of my site. I am wondering what can be done to find and clean this up ? or a plugin etc that will remediate this ? here is my site.
    Thanks everyone.

  24. teragram
    Posted 7 years ago #

    I've just discovered this virus on my blogs.

    In case it's of any use to anyone, I thought I'd mention that I found some javascript in the usermeta tables which I think might be inserting the user 'wordpress'.


Topic Closed

This topic has been closed to new replies.

About this Topic