How do I get rid of this hacker infiltration of my website? WordPress
- SOLVED
I find this frustrating. WordPress has some serious security issues, which keep cropping up.
I dealt with this hack once before, years ago, on a different website, but now I've forgotten what the fix is:
[[LINK href="http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=clojure+site%3Asmashcompany.com"]]http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=clojure+site%3Asmashcompany.com[[/LINK]]
This particular hack does no damage to my actual site, but it feeds Google pages full of garbage.
What I've done so far:
1.) made a backup of the wp-content folder
2.) delete the whole site
3.) install a newer version of WordPress
4.) put the wp-content folder back
5.) look in the users table in the database to be sure there are no users, save for me
These 5 things failed to get rid of the problem. I assume the dangerous files are in wp-content. But what do I look for? How do I find it?
Answers (4)
Linda answers:
Hi, have you also checked your .htaccess file for hacks?
Lawrence Krubner comments:
Good thinking, but it looks like the file is fine:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Linda comments:
Hi again, yes your .htaccess looks fine. It looks like they must be using a Googlebot hack. There is a very detailed sight here: http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/ but is it in Geek. :)
To test you could temporarily remove your wp_footer() or wp_head() hooks and see if that gets rid of the problem. To check use a tool that will crawl your site as Googlebot. The one I used was here: http://urivalet.com/. Then you can narrow down where they might have placed the code. The above site lists places to look for the hacked code.
Linda comments:
Oh, and make sure when you use the URI Valet to choose Googlebot as your 'User Agent'.
Lawrence Krubner comments:
Thanks, I did not know about http://urivalet.com/. That is a good tip.
Joshua Nelson answers:
Security issues in wordpress are incredibly frustrating, that's for sure. I think you want this solution: [[LINK href="http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php"]]http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php[[/LINK]]
When you installed the new version of wordpress, did you completely wipe the entire domain's wordpress content and upload an brand new wordpress install? If so, have you looked into your theme folder?
If that walk through above isn't the one, then you should download fresh versions of all your plugins and theme into a fresh version of wordpress. Usually these files find their way into your plugin or theme folders.
Also, once you get this fixed be sure you don't have any user named "admin" and a strong password. I'm a big fan of the plugins Login Logger, Login Lockdown, WordPress Database Backup, and WP-ReCapcha. Place your config file up a level if you can, or your wordpress folder somewhere other than your main folder. Hide your wordpress version (see the walkthroughs below) and change your database prefix.
I'd recommend these:
http://codex.wordpress.org/Hardening_WordPress
http://www.whoishostingthis.com/blog/2010/05/24/hardening-wordpress/
http://www.bloggingpro.com/archives/2010/04/20/wordpress-security-a-comprehensive-guide/
http://www.hongkiat.com/blog/hardening-wordpress-security/
http://coding.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/
Lawrence Krubner comments:
At first I assumed this was the Pharma hack, but now I'm thinking it is simply something similar? The Pharma hack usually targets the plugins folder? If I ssh to the server and run:
ls -al wp-content/plugins/
all I get is what I expect:
drwxr-xr-x 7 lawrence lawrence 4096 2011-04-17 21:42 .
drwxr-xr-x 6 lawrence lawrence 4096 2011-04-17 21:42 ..
drwxr-xr-x 2 lawrence lawrence 4096 2011-04-17 21:42 akismet
drwxr-xr-x 2 lawrence lawrence 4096 2011-04-17 21:42 custom-excerpts
-rw-r--r-- 1 lawrence lawrence 30 2011-04-17 21:42 index.php
drwxr-xr-x 4 lawrence lawrence 4096 2011-04-17 21:42 refgenerator
drwxr-xr-x 6 lawrence lawrence 4096 2011-04-17 21:42 smart-archives-reloaded
drwxr-xr-x 2 lawrence lawrence 4096 2011-04-17 21:42 twitter-tools
Joshua Nelson comments:
well, these things change as wordpress changes. If you have looked through each of your databases (which you should do yourself, don't search - open up your sql, view each table and see if you can find anything odd).
Again, did you wipe everything and start completely fresh? This is the step you need to take at this point - it could be buried in your folders somewhere and could take forever to find if you try searching for it. These things are engineered to be hard to find. Check each folder's .htaccess folders. You might be able to delete these entirely (caution on this if you don't know what you're doing, I can't see what those files contain), depending on what plugins your using. If you go this route and you're using pretty permalinks, be sure to go back into your permalinks tab and re-save it to auto-generate it again.
Backup your database (after looking through it). If you have custom functions, css or child-themes, back those up and search them manually and thoroughly. Wipe <em>everything</em> from your site. Manually install a freshly downloaded wordpress and re-install your pluigins & theme fresh from their sources.
If you do that and it is still there, then you have a deeper issue that I can't solve without seeing the site make-up itself...
Lawrence Krubner comments:
Well, I deleted everything except wp-content. I hate to get rid of that entirely since the design is custom. But I guess I can go through it carefully and try to find something that looks out of place.
Dylan Kuhn answers:
Definitely no fun. The [[LINK href="http://wordpress.org/extend/plugins/exploit-scanner/"]]exploit scanner plugin[[/LINK]] raises lots of false positives, but I've had it help me narrow my search for malicious files.
You may have already found that [[LINK href="https://www.google.com/webmasters/tools/"]]Google Webmaster Tools[[/LINK]] is has a useful "Fetch as Googlebot" tool under Diagnostics that I've used to check a cleaned up site.
Once clean, the [[LINK href="http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/"]]File Monitor Plus plugin[[/LINK]] is useful for detecting any subsequent attacks. I've never seen a site running the most recent version of WordPress compromised, but it could certainly happen if some malicious code escapes detection.
Lawrence Krubner comments:
The File Monitor Plus plugin is very clever. Thanks for the tip.
Ozh RICHARD answers:
If you don't have shell access, my comment won't be of any help, so just ignore it (and find a better host with shell access)
If you have shell access, scan your entire directory (not just WP, not just wp-content) with the following commands:
grep -r "gzinflate" /home/you/yoursite.com > gzinflate.txt
grep -r "base64_decode" /home/you/yoursite.com > base64_decode.txt
grep -r "var el,ar,ar2" /home/you/yoursite.com > maljs.txt
grep -r "Windows-1251" /home/you/yoursite.com > charset.txt
These lines search for functions gzinflate() and base64_decode(), which are often used by backdoor scripts. File maljs.txt searches for a javascript I've often seen that injects links. The charset stuff is also contained in a popular backdoor script. WP plugin Exploit Scanner is nice but is a bit limited.
Now you've grepped everything, read all these four files (eg. "pico -w gzinflate.txt" or "cat gzinflate.txt | less"). You'll see stuff like this:
somedir/otherdir/somefile.php:[a php line containing gzinflate]
Reading the files, you'll look for 2 things:
- unknown or suspicious file names (wp-content/plugins/plugin.php, wp-includes/include.php, etc...)
- base64 or gzinflate function calls with very long string of seemingly random chars, such as '7b17f9vG0TD6d/v75TusEaYmE5KiZOcmWXJkSY59alt+JLlpXtmHBQlQQkUSDABKdl1/oPMZ3'
If a file looks suspicious to you, open it with the shell editor (eg pico -w /home/you/yoursite.com/include.php) and load it in your browser (eg http://yoursite.com/wp-content/plugins/plugin.php) to see if that looks like something regular.
Two things to keep in mind:
- a backdoor could be anywhere, not necessarily withing WP
- WordPress is 1000 times more secure than most other script. Most hacks *target* WordPress but the entry is either another script or simply a poorly configured shared hosting server.
Further reading: http://codex.wordpress.org/Hardening_WordPress and especially the file permission part.
Good luck!
Lawrence Krubner comments:
Thanks, Ozh, that was informative. And of course we have shell access. We have 4 servers in the Rackspace Cloud. WPQuestions.com is on one of those servers. My personal site is on another of those sites.