Jan

8

World Gone Web hacked

January 8, 2011 | 3 Comments

On Monday morning, I received an email from Google Webmaster Tools letting me know that my WordPress blog had been hacked and was temporarily blacklisted. Users accessing my blog using Google Chrome or Firefox were advised to stay away for safety. I appreciate Google’s notification of this problem as well as their concern (and Mozilla’s) to protect my visitors.

Why was my WordPress blog hacked ? I don’t believe it was individually targeted, I believe it was hacked because it was vulnerable. Two reasons :

1.  I hadn’t updated my blog to the latest version of WordPress. As a matter of fact, I was not even running WordPress 3.0 yet.
2. Also, I believe the file permissions I was required to use on the server by my host provider were not safe enough thought I could not change them without breaking the whole blog (Access Denied error). I largely blame my hosting provider architecture for that.
So, what did the malware look like ? It was a php code which was added to every .php file in my main wordpress folder and read something like eval(base64_decode(XXXXXXXXXXX)). Once this was decoded and evaluated, it would check whether the referrer was Bing, Yahoo or Google and if so, redirect my visitor to a malware sharing site of some kind (I didn’t go to it…). This hack has been used recently on several GoDaddy hosted wordpress blogs and other CMS. With some help from @fdevillamil and Google, I found information about the problem and started working on it.

Finally, I finally got the problem sorted thanks to several blogs posts I’d like to point to here.

1. Here is a detailed explanation of the attack
2. I downloaded and modified Peter’s fixfiles.php script in order to clean my PHP code of the malicious PHP script.
3. Sucuri Research offers a console command (requires SSH access to your server) to clean your WordPress, too. They also detailed how to fix a hacked blog intended for GoDaddy users.
4. Before resubmitting my blog for validation by Google, I made sure everything was okay using Sucuri’s malware scanner service (free for limited use) . A very useful tool.
5. I quickly searched for similar tools I could use in the future and found the following articles though I didn’t test these services yet.
6. I moved my blog to another host where I was able to set the permission more restrictively
7. I disabled several of my plugins and updated my WordPress hoping to secure my blog from too many security flaws that could lay in third party code
8. Next, I read up about a few ways to fix security holes in WordPress in these posts :

9. Finally, I updated my blog which was no luxury. It can quickly be done in a few steps which are detailed right here

Hope this helps out someone else in a similar situation and that Google reconsiders my website soon.

Filed under: Computing, Debian, Internet, Me myself I, PHP, Système, wordpress

Tagged with: , , , , , , , ,

Liked this page?

Tweet it

Subscribe to the RSS feed or sign up for the newsletter now.

Posts related to World Gone Web hacked

3 Comments to "World Gone Web hacked"

  1. Trackback on Samantha Halfon on January 8, 2011 at 9:01 am

    New blog post: World Gone Web hacked:
    On Monday morning, I received an email from Google Webmaster Tools lettin… http://bit.ly/fyIXsO

  2. Comment by Peter on January 9, 2011 at 4:26 pm Reply

    Make sure you change your FTP password too! When I got hacked on GoDaddy, I experimented. Had 2 sites where I did not change the FTP password, and 2 where I did. I got hacked again on the two sites where I did not change the password.

    Even though I ONLY use SFTP… Have no clue where they got the passwords.. They did not get in with Brute Force…

    Best of luck!

    Peter

    • Comment by shalfon on January 13, 2011 at 9:01 pm Reply

      Thanks for the advice. This has been done as well. I will keep updating the code frequently and hope to stay out of troubles.

Name (required)

Email (required)

Website

Leave a Reply