My WordPress install was hacked – oh no!

My WordPress 2.6.1 install was hacked a few weeks ago and it was serving up advertisments for all kinds of dubious products. I noticed this because my friends were telling me that FireFox had marked my site as malware. Great. 50% of the people I polled got the error when checking out my site. I dug into the page source from the browser and found a long list of links to other peoples WordPress blogs like (I’m going to use a link to my blog instead) “<a style=”display: none” href=”http://stateofflux.com/page.php?id=discount+viagra”>Discount viagra</a>” – oh no, my site is compromised.

What happened

The attack inserts content into your WordPress database as RSS links. When your blog is rendered the RSS links are inserted into the middle of your page with CSS telling the browser to hide the display of the links. This way the malware content can be indexed by search engines but doesn’t show up to normal readers. I’m assuming with many sites compromised and all linking to each other for legitimate sites that the links would rise to the top of your search engines results – a malware networks. I’m not sure if it worked, but it is annoying.

Physical side effects

There were three side effects

  • links to malware appeared in the middle of my pages
  • iframes to malware appeared after the closing html tag on all of my pages (PHP and html)
  • a new wp_options record was created that held the RSS content. The content of this record were json(?)/serialized links to other compromised sites

The fix

I think this vunerability was cleaned up in WordPress 2.6.5, but I’m not sure as I can’t find anyone else talking about this issue.

What I did was:

  • looked at the source of my wordpress page and found the links to other sites. They are pretty obvious as there is a really, really long line with words like viagra, soma, etc… let’s assume it was ‘soma’ (and I’ve got a feeling that doesn’t mean South Of MArket)…
  • log into my database (mysqladmin or mysql client) and look in the wp_options table
> select * from wp_options where option_value like "%soma%" \G;      /* where 'soma' is the malware word I found on the page source */
  • remove the record
> delete from wp_options where option_value like "%soma%";
  • reinstalled WordPress (I just upgraded to 2.7 at DreamHost, who move the directory aside anyway)
  • reinstalled all Plugins/Themes for their original source

Conclusion

The problem seems to have gone away. This is going to make me much more diligent with minor upgrades to my site. This has cause me a lot of pain. I’m going to email everyone who links to my site with this exploit in the hope that we can slowly stamp it out. Please pass on the message.

Note: I didn’t document these activities as I went along, and my memory is a bit vague on this so I’m writing the solution from memory. Please add comments to clarify anything that I’ve got wrong or missed.

  1. Ali says:

    Hi,
    I also had the same problem. I started from the beginning. Changed everything except my domain.

    But now I have another problem. I am in sandbox of google. Because there are nearly 2000 sites spam linking to a subdirectory (to a php file) of my previous site…. These links are not valid for my new site, but they still are on the internet. And google thinks my site is suspicious…

    1- Did you experience the same?
    2- What do you suggest me to get rid of all those spam links targeting un-living subs of my domain?
    3- If you want to see what I see in google search: search for markayoneticisi-DOT-com

  2. mark says:

    If you run into this sort of problem you can use googles webmaster tools to inform google that your site isn’t spam.

  3. Lucky you found the problem and I’m still looking for the solution

  1. There are no trackbacks for this post yet.

Leave a Reply