Hack Update

So, a few people asked what happened exactly when my blog was hacked by f0cking spammers. First off, it seems WordPress 2.3.3 fixes the issue. More importantly though, unless you delete all themes, which you won’t do because of course you want to keep yours, the hack will still be there after the upgrade. The new code prevents hacking but your blog, if it had been hacked, still has the problem.

For a more detailed look at the issue you can read Deep Jive’s overview but basically here’s what happened:

  • Hackers (some kind of bot I guess) pinged my blog, noticed it was an unpatched version, got in the admin section using the hack.
  • Uploaded the files needed for the spamming.
  • Modified my theme.

    The modification to the theme does this:

  • Loads an encrypted PHP function.
  • The function reads a .jpg file that’s not really an image, it’s a text file named with the .jpg extension. The file contains hundreds of links to nsfw sites and the like.
  • When someone comes to the site through search engines (I think), it includes in the code of the page an html block with a bunch of spammy links in it. Using CSS, it hides the block.

    The result of course is that if search engine don’t notice, they see this as “votes” for the spammy sites and it helps their ranking. If however, the search engine does realize it’s spam linking, they ban your site. Which is what happened to me and to this day I’m not back in the index.

    How Do I Find This Shit?

    Delete all the themes that aren’t yours. You could always keep the default one just in case but then check the code of that one as well.

    In your theme, look at all your template files, especially index.php and header.php and look for something like this (from my hacked index.php):

    The first line gives the page access to a directory not even in my WordPress install (more on this later). The path will change so mostly notice the rest when looking for this.

    The second is allright, it includes the header of my theme.

    The third line includes the function that does the deed.

    Remove the second and third lines, save the template. Upgrade WordPress.

    Freaking

    What’s freaky about this and makes me think it’s not a bot but a person (aka evil f0cker who should be hung by his balls) doing this because he didn’t only add code, he hid his stuff in the directory where my previous blog platform, Textpattern was still stored. That directory is next to the WordPress install, not in it. And the new stuff is hidden in the “lib” directory, named and place innocuously. I doubt they automated all of that.

    Lesson

    As mentioned by Jer in my comments; point upgrades are important, do them.

    Lesson 2; if you run into a spammer in real life, hit them upside the head multiple times with the most vicious piece of hardware you can find handy.

    Lesson 3; Google is too damned powerful and doesn’t have enough of a human interface. If not for my portfolio site, I would now have no site of mine findable by the world and thus, no “official” presence online. Sure, there are other search engines and I haven’t been banned there but realistically, who uses anything else? Google just zapped me out of the index and even though I have a Google Analytics account with them and the code is in my theme and they could conceivably have advised me, no such warning was given.

    Now I have to fill in forms to get my blog back in the index and there’s no way to talk to a live person or at least get updates / feedback on wetter the process is moving along. I just have to wait and ask again to please, please, internet God, can you bring my blog back to life? Sucks and is dangerous.

9 Comments

Denis Canuel April 11, 2008

Also look at for eval functions such as this one:

eval(gzinflate(base64_decode(‘encoded stuff’)));

You can often find those in “evil” free themes.

Hamish M April 11, 2008

This kind of stuff pisses me off.

I’m glad you’ve got it sorted out though. Thanks for sharing.

And yes, these types of people need their eyes raped with rusty spoons.

Boris April 11, 2008

Make sure to change passwords on ALL users on your WP install after this. Part of the hack is (assuming this is the same one) they modify users to allow them to get back in.

;)

Patrick April 11, 2008

Right. I did that but forgot to include it in the post.

Zelaurent April 12, 2008

Oups! Reçois tout mon soutien Patrick. Merci beaucoup d’avoir partager cette douloureuse expérience avec nous. Je vais travailler son l’upgrade de mes blogues cette fin de semaine ;(

Comments closed