box of Jack » Spam Links Injected Into Wordpress 2.7

Tagged: computers

Problem: My WordPress theme’s header.php suddenly contained some php code that injected invisible spam links into my blog.

Are you infected? Visit your blog site and hit View Source. Search for “display:” and see if there are any spammy links that occur around the code. Better yet, if you’re a technical person, you can check the contents of your header.php file. So far, I’m only seeing this on blogs hosted on Dreamhost.

Solution: Delete the offending eval line from /wp-content/themes/theme-name/header.php. Delete /page.php, /installed.php, /wp-content/wp-manager.php, /wp-content/cache.php. Change your passwords for your blog users, database, hosting, etc. Go to the Dreamhost “users” panel and enable Enhanced User Security.

Long Speculation

You see the part of the image I circled in red? That’s an eval function followed by a base64_decode. Eval means “execute the following as if it were PHP code” and base64_decode means “convert this crap from Base64 encoding to regular text.” The file is /wp-content/themes/theme-folder/header.php, a file that is executed on every single page of your blog in order to draw the header. In short, it’s some compressed code that is injected and executed every time someone loads one of your blog pages.

I noticed it when I started getting Google links from other infected WordPress blogs. I noticed they had these invisible links in their header like:

<a href=“http://boxofjack.com/page.php?id=buy-shitty-drugs” style=“display: none”>
buy drugs
</a>

I thought, it’s great that I’m getting links but why the fuck are spammers hacking blogs and linking to my site. Then I realized that my blog was hacked and I got kind of mad.

Two possible options: Either there is a flaw in WordPress 2.7 that caused them to gain access to my shit or my provider, Dreamhost has been compromised. Given that this is a hack that is designed to infest WordPress installations and I host three blogs but only my most popular one was infected, I’m going to guess that it is a WordPress-specific bug.

Note that this is not from me installing any infected themes. I coded this WordPress theme from scratch, I have backups to prove that it was not infected when I installed it. It happened some time later. I launched this theme on the official WordPress 2.7 release. XML-RPC is enabled (yes, I know it’s a common attack vector but I need it.)

This is not a thorough investigation and it’s just what I’ve discovered through poking around on my own website. I haven’t even bothered to dissect all the shitty code, I just deleted it. I’m kinda angry at the moment and I hope it wasn’t something stupid that I did to cause this.

Update – Feb 12th @ 12pm

I’m pretty certain that this is a Dreamhost-specific problem. All the similar blogs I’ve seen are running WordPress on Dreamhost. What the fuck, Dreamhost. This is a pretty big issue.

More?

Previous:	Then He Says, “Can I Kiss You?”
Next:	links for 2009-02-09

8 comments »

	will thanks very much for heads up I also use Dreamhost and this is the second time I have had a hack in 2 months …. previously they were disguised links at the footer. Time to switch hosts. Regards
	Karan Dunno if it’s co-incidence, but 2.7.1 is out now – seems to have one or two XMLRPC related fixes. Will, for what it’s worth, i’ve got a couple of installs on Dreamhost too but they haven’t been hit – I’d suspect it’s not Dreamhost but WordPress that’s vulnerable. Report it to Dreamhost support and see if they can follow up – they’re usually pretty responsive.
	Karan Also, could be a plugin – I’ve got a very minimal list of plugins, but some particular plugin could be badly behaved…
	Jared I was hit twice in a week, also on DH. I’ve since switched to Media Temple last weekend. Check your user list — I found another administrator created in my blog as well, obfuscated with some clever code so I couldn’t delete it from the admin panel (had to go in through phpMyAdmin and remove it manually from the DB). I also found uploaded to wp-content/uploads an R57shell named “cache.php” as well as a “wp-manager.php.”
	Bill Vick Thanks – they hacked my site (on Dreamhost) as well but your heads up saved me from both grief and embarrassment. Why do idiots like that do things like this? Thanks again Jack.
	neal s Thanks for the heads up on my site, Jack. I took care of it thanks to you, and I might not have noticed for a long time otherwise. I owe you a beer for sure. Have we determined if this is a Dreamhost issue? I might very well need to switch after this. They seem way too vulnerable.
	Dennis Totally unrelated… but I really like your vim theme. :-)
	Ray Hernandez Same exact thing happen to me…and I’m on Dreamhost. Actually I’m trying to get the fuck off of dreamhost cause I can’t stand them. If the servers don’t go down…they get hacked. It’s crap. Thanks for the explanation…it really helped…and good luck to everyone else infected.

Comments Closed

Jack is no longer taking any comments on this blog post. You can message Jack directly on Twitter. If he is not busy, he'll be more than happy to discuss what you think about this blog post.