I got up this morning to find some of my URLs had been appended with: -
/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/
It would appear that the blog has been hacked by someone who registered as a subscriber using black hearted techniques I really don’t understand. Fortunately for me my knight in shining armour came after a quick Google search in the form of Andrew Wee who had suffered similar and has written a very thorough fix on his blog.
Thanks Andrew, this one would have had us stumped. I’ll be keeping a close eye on all my Wordpress blogs today.
My blog was running on a very old Wordpress version (lazy) so I’m not sure if this is something that’s already been fixed as part of previous version updates or not. A good reminder that it is important to keep your WP version updated with new fixes!
*edit*
Just found this Wordpress Support Topic on the issue – it does indeed seem to be old versions that have been hacked so guys learn your lesson from this lazy affiliate marketer before it happens to your blog. Update your Wordpress version now!!!
Also Jason suggested we check our SQL database for any admins that might have been added and sure enough when we checked, there was a spurious admin sitting in there and not visible in Wordpress!
September 4th, 2009 at 11:52 pm
You also need to make sure you check your user lists (suggest check the sql database rather than through wordpress). We had the same problem (see Twitter earlier today) but also discovered a base 64 injection that created a new admin account.
Upgrading is good, but make sure you also remove any created admin.
September 5th, 2009 at 12:03 am
Thanks for the extra info Jase!
September 5th, 2009 at 12:12 am
Hi Kirsty,
Tks for visiting.
I’d personally refrain from updating too quickly just because the new versions:
1) often contain security holes themselves
2) frequently break previously working plugins
3) plugin developers can sometimes take a couple of weeks to develop an updated plugin compliant with the new version of WP.
If anything, I’d suggest looking at the version info on the Wordpress site and updating to the 2nd newest version, unless there’s a security issue related.
September 5th, 2009 at 12:33 am
Thanks for that Andrew, hadn’t considered that with new versions – I rarely update immediately that they are issued anyhow. I’m aware the second to last version had a security issue though.
I’ve updated already and thankfully all seems to be fine. I don’t have that much in the way of complex plugins on here, will just have to keep the internet fingers crossed its not out of the frying pan and into the fire!
September 5th, 2009 at 4:43 am
Thanks for the heads up Kirsty.
I checked and one of my sites had been bitting by this hack. All fixed now, Thanks.
September 5th, 2009 at 4:20 pm
Cheers Kirsty and Jason for the warning.
How do you usually upgrade your WP versions? I know you can do it in admin automatically, but always fails for me.
I’m sure someone mentioned a plugin a while back.
Cheers.
September 6th, 2009 at 1:16 pm
My website got attacked last night, and I’ve been running the latest version of wordpress for ages. So just because the latest versions of wordpress are (relatively) secure, it doesn’t mean your plugins are.
Dan
September 7th, 2009 at 8:22 am
It’s easy Steve, I say “Duncan, get that Wordpress updated today” and it happens.
Thanks for that heads up Dan, I checked all of my SQL Databases today and backed them all up for good measure just in case anything nasty happens in the next little while!
September 7th, 2009 at 1:17 pm
I run daily backups. Thanks to that, I was able to fix my website in just 1 hour.
There is a lack of good and reliable backup systems, I really must look into solving that issue.
Dan
September 7th, 2009 at 8:56 pm
Those of you with Fantastico in your hosting account – you can upgrade your installation simply and easily. Just go to the Fantastico part of your hosting platform and hit the upgrade link.
This may save you some of the hassle of changing the read/write/execute permissions via your ftp client. It would be worth locking down the permissions on your WP sites until a thorough patch is found. The permission settings in WP leave it full of holes to get locking down those ‘execute’ options in your ftp client!
Something that I am trying to find out about is a wordpress set-up that allows you to run an installation of wordpress locally on your machine (using a WAMP server) and then export flat HTML files up to your web server…. this ’should’ save your site from being exploited… (especially if the web server is set to read only). This solution is only any good for websites where you are pushing pages and posts but not allowing comments but as so many affiliates use WP as a plain CMS for pushing content this could be a good solution for some affiliate sites.
Anyone no anything about ‘WP save to HTML’ plugins and which ones are any good? Would be great for a pointer.
September 7th, 2009 at 11:09 pm
The exact thing happend to our wordpress blog the other day, the hacker also created themselves an admin account which was hidden, but Cyberbird managed to find and delete it for us, the odd thing is the hidden admin account could only be seen for a few seconds by using the ‘flock’ browser (never heard of it myself), using any other browser it was completely hidden apart from the number of admins showing in the Administrator link.
Our wordpress version wasn’t that old, it was 2.8.2 but now upgraded to 2.8.4 and are now keeping a close eye on it.
Lee
September 14th, 2009 at 12:43 am
Have you pimped out Duncan’s updating service yet, I have a couple of sites that need sorting?!