Anatomy of a blog hack
While Wordpress is great software, its ubiquity means that a lot of script-kiddies and general hackers like to attack it. All of the different settings, options, plugins and the rest mean that it takes quite a bit of work to balance letting people participate (through comments, postings) while keeping spammers and hackers out.
About a year and a half ago, my blog was hacked. I was notified of it by Google’s webmaster tools, and it took quite a while to go through all the different files to find the offending code and strip it out. It ended up being located in a number of different places, so it took a few go-through’s re-submitting the site to Google before the hack-detection software declared it clean.
I was always a little worried that I hadn’t gotten it all. Recently, I came across a great couple of blog posts that I highly recommend:
- This is a good general description of why you need to be worried and links to a couple of tools you can use.
- This is a link to a Wordpress plugin called “Exploit Scanner.” I uploaded it to this blog and found a number of files that were clearly hacker-installed. I’ve since un-installed them, but want to post some things to help anyone else that might face the same situation in the future.
— — — — — — — — — — —
Files that were uploaded:
fx_akismet.php
fx_blogger.php
fx_I10n.php
fx_menu.php
fx_wp-config.php
fx_wp-db-backup.php
… and a folder of 70 html files and a javascript file meant to steal Google PageRank
All the php files were nearly identical. Here’s the code:
I don’t code in php, so I don’t really know what this says, but hopefully it might be useful to anyone afflicted by the same script.
I highly recommend if any of you have Wordpress blogs to take these same steps to see if you’ve been hacked.
