WP 2.7 Blog Hacked

(@willyf)

Hello,

After thinking that it would never happen to me, I’ve apparently been hacked. I always update my WordPress installs ASAP, and I most recently updated to 2.7 on December 10th.

Today I was looking through referral logs and noticed this one

http://us.yhs.search.yahoo.com/avg/search?p=free+sexs+video&fr=yhs-avg&YST_b=11

I couldn’t imagine why my site would turn up for “free sexs video,” so I became very worried. I clicked through to http://www.onedayonejob.com/jobs/nasa/ and the page looked normal. I checked the source. It looked normal too. Then I checked Yahoo Cache and there was an invisible div with about 40 spam links in the source of the page.

I checked Google Cache, and the cache from January 1 showed the same problem. You can see it here: http://74.125.95.132/search?q=cache:OYBbENIoY7IJ:www.onedayonejob.com/jobs/nasa/+http://www.onedayonejob.com/jobs/nasa/&hl=en&ct=clnk&cd=1&gl=us&client=safari

A little more Google searching revealed that many more pages on my site were hit with the same problem.

The nasty div is inserted in the middle of my Navigation, which is pulled from a file called nav.php. It’s hard coded, so the links aren’t being pulled from a database. I checked both nav.php and index.php and they are clean. Since the code was inserted in the middle of the navigation that comes from nav.php, I can’t imagine that it could have been inserted by any way except a modification to nav.php.

nav.php looks like this:

<div id="navwrap">
	<div id="nav">
		<h5>
			<ul>
				<li><a href="http://www.onedayonejob.com/" title="Today's Entry Level Job on One Day, One Job">Today's Entry Level Job</a> |</li>
				<li><a href="http://www.onedayonejob.com/past-jobs/" title="Past Jobs on One Day, One Job">Past Jobs</a> |</li>
				<li><a href="http://www.onedayoneinternship.com/" title="One Day, One Internship | A blog about internships for college students." onclick="javascript:pageTracker._trackPageview('/outbound/nav/ODOI');">Internships</a> |</li>
				<li><a href="http://www.onedayonejob.com/career-tools/" title="Career Tools from One Day, One Job">Career Tools</a> |</li>
				<li><a href="http://www.onedayonejob.com/about/" title="About One Day, One Job">About</a> |</li>
				<li><a href="http://www.onedayonejob.com/blog/" title="The One Day, One Job Blog">Blog</a> |</li>
				<li><a href="http://www.onedayonejob.com/contact/" title="Contact One Day, One Job" rel="nofollow">Contact</a> |</li>
				<li><a href="http://www.onedayonejob.com/employers/" title="Employer Solutions from One Day, One Job">For Employers</a></li>
			</ul>
		</h5>
	</div>
	<div id="tagline">
		<h3>
		<?php bloginfo('description'); ?>
		</h3>
	</div>

	<div id="subscribewrap">
	<ul>	

<li><a href="http://www.feedburner.com/fb/a/emailverifySubmit?feedId=1055342&amp;loc=en_US" title="Subscribe to One Day, One Job by E-mail" rel="nofollow" onclick="javascript:pageTracker._trackPageview('/subscribe/nav/EmailFeedburner');"><img src="http://www.onedayonejob.com/wp-content/uploads/one-day-one-job-email.gif" alt="Subscribe to One Day, One Job's e-mail newsletter" /><br />Get Jobs by E-mail</a></li>

<li><a href="http://www.facebook.com/pages/One-Day-One-Job/5827264150" title="Become a Facebook Fan of One Day, One Job" rel="nofollow" onclick="javascript:pageTracker._trackPageview('/outbound/nav/http://www.facebook.com/profile.php?id=5827264150');"><img src="http://www.onedayonejob.com/wp-content/uploads/one-day-one-job-fan.gif" alt="Become a Facebook Fan of One Day, One Job" /><br />Become a Facebook Fan</a></li>

<li><a href="http://feeds.onedayonejob.com/OneDayOneJob" title="Subscribe to the One Day, One Job RSS Feed" rel="nofollow" onclick="javascript:pageTracker._trackPageview('/subscribe/nav/RSSFeedburner');"><img src="http://www.onedayonejob.com/wp-content/uploads/one-day-one-job-feed.gif" alt="Subscribe to One Day, One Job by RSS Feed" /><br />Get Jobs by RSS</a></li>

	</ul>

	</div>

</div>

The malicious div was inserted within the first list element. I can’t imagine how anything could get inserted there, except by a direct change to nav.php.

I thought that my password was relatively strong, and I’m extremely wary of phishing, so I have no idea how this could have happened. Is there a new WP 2.7 exploit? Could this hack have happened to a prior version?

Why can’t I find any evidence of the hack beyond the cache? Did I inadvertently fix it? Or did someone go in and make a change?

I’m totally confused about this situation, and although the hack no longer seems to be a problem (beside having to submit a Reconsideration Request to Google), I’d like to know how it happened so that I can fix whatever vulnerability allowed it to happen.

Hopefully I’ve provided enough information for someone to figure this out.

Thanks,

Willy

Viewing 4 replies - 1 through 4 (of 4 total)

Christopher Anderton
(@anderton)

17 years, 4 months ago

You are sure that the code was inserted when running 2.7 and not 2.6.x?

mrmist
(@mrmist)

17 years, 4 months ago

Could be difficult to trace back now. The last edited date of nav.php may have been a clue but if you have changed it since it won’t be valid any more.

If it happens again you could check server logs.

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

17 years, 4 months ago

Is there a new WP 2.7 exploit? Could this hack have happened to a prior version?

. . .

Hopefully I’ve provided enough information for someone to figure this out.

Well, your files did get compromised and you have explained the outcome very well. But can you provide any log data to figure out how this happened? So far you have not really provided data on how this happened or even when exactly.

Do you keep file backups, and if so how long ago? If this is not a problem with your database, check your file backups to try to find out when this got onto your blog. You could use that date to try to find out how.

If it happened before 12/10 then your old version was compromised and 2.7 is probably still good for now.

Thread Starter WillyF
(@willyf)

17 years, 4 months ago

Hi everyone,

Sorry to leave you all hanging.

I tried replying to this post on the day that I originally posted it, but it told me that the post didn’t exist. I’d imagine that maybe some of the text in my post got flagged as spam.

Although I don’t have a definitive answer, I do have some more information on how the hack happened.

After doing some more looking through my file structure, I found that every directory that was writable had files that took the form 194255.php. These were mostly in my /wp-content/uploads and folders within those as well as folders within /wp-includes. These files were all uploaded on 10/6/08 which was well before the 2.7 update. The files contained base64 code that was quite obviously malicious. I have 5 WP installs on my site, and these files were in the same directories of all of them. It’s definitely possible that some of these blogs were not updated properly at the time (early October)

These files, however, don’t appear to have been responsible for the malicious code that was inserted. I also found a file called gzmod.php in my plug-ins folder. This file was last edited on 1/6/09 and it also included base64 code. I am not sure when it was initially uploaded, but I’m almost positive that it was some time after I updated to 2.7 on 12/10. I’m not sure if the other malicious files allowed for the upload of this file, but I’m almost positive that this is the file that was responsible for the malicious code.

I don’t have a full file backup (only database backups) from the period between 10/6/08 and 1/6/09 to check when the gzmod.php file was inserted, but I have asked my host to look into it. They have not gotten back to me yet.

I have no proof that the two types of hacks are related, but it would make sense that one enabled the other. Does anyone have insight into this?

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘WP 2.7 Blog Hacked’ is closed to new replies.

WP 2.7 Blog Hacked

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics