My WordPress 2.6.1 install was hacked a few weeks ago and it was serving up advertisments for all kinds of dubious products. I noticed this because my friends were telling me that FireFox had marked my site as malware. Great. 50% of the people I polled got the error when checking out my site. I dug into the page source from the browser and found a long list of links to other peoples WordPress blogs like (I’m going to use a link to my blog instead) “<a style=”display: none” href=”http://stateofflux.com/page.php?id=discount+viagra”>Discount viagra</a>” – oh no, my site is compromised.
The attack inserts content into your WordPress database as RSS links. When your blog is rendered the RSS links are inserted into the middle of your page with CSS telling the browser to hide the display of the links. This way the malware content can be indexed by search engines but doesn’t show up to normal readers. I’m assuming with many sites compromised and all linking to each other for legitimate sites that the links would rise to the top of your search engines results – a malware networks. I’m not sure if it worked, but it is annoying.
Physical side effects
There were three side effects
- links to malware appeared in the middle of my pages
- iframes to malware appeared after the closing html tag on all of my pages (PHP and html)
- a new wp_options record was created that held the RSS content. The content of this record were json(?)/serialized links to other compromised sites
I think this vunerability was cleaned up in
What I did was:
- looked at the source of my wordpress page and found the links to other sites. They are pretty obvious as there is a really, really long line with words like viagra, soma, etc… let’s assume it was ‘soma’ (and I’ve got a feeling that doesn’t mean South Of MArket)…
- log into my database (mysqladmin or mysql client) and look in the wp_options table
> select * from wp_options where option_value like "%soma%" \G; /* where 'soma' is the malware word I found on the page source */
- remove the record
> delete from wp_options where option_value like "%soma%";
- reinstalled WordPress (I just upgraded to 2.7 at DreamHost, who move the directory aside anyway)
- reinstalled all Plugins/Themes for their original source
The problem seems to have gone away. This is going to make me much more diligent with minor upgrades to my site. This has cause me a lot of pain. I’m going to email everyone who links to my site with this exploit in the hope that we can slowly stamp it out. Please pass on the message.
Note: I didn’t document these activities as I went along, and my memory is a bit vague on this so I’m writing the solution from memory. Please add comments to clarify anything that I’ve got wrong or missed.