My WordPress hacked by c99madshell script
After all the excitement of last Friday’s attempted hack on my travelblog, and the subsequent upgrade to WordPress 2.6 - I thought everything was under control. Boy was I wrong!
A few hours ago I received a blog comment (from a Mr Andrew Wong) on the travelblog:
http://www.lee-and-lucy.com/travelblog/index.php?p=5817
check this out!!
I clicked the link, my jaw dropped! It wasn’t an attempted hack, it was a very successful hack… I felt violated -in a digital sense. The threat was far from over!
From looking through the WordPress management screens, I couldn’t find a blog post with the ID #5817. I opened up phpMyAdmin to see if it was in the database; nope, nada, nothing!
I wanted to see the extend of the problem, so I googled “site:lee-and-lucy.com“, and found a “lot” of pages… oh yes, LOTS OF SPAM!
To say the least, I was furious! I wanted to; a. resolve this asap; b. find out how this happened; c. cause pain to this would-be hacker! Obviously, option c. goes against my good karma nature, but they digitally violated my site; sticking spam in places that spam should never go!!! Furious I tell you!
Digging through my WordPress files, I find a PHP script in my theme folder called “simple.php“; it contains a nested “eval(gzinflate(base64_encode()))” string. Very suspect. I try to manually decrypt the string, (replacing the eval with an echo), but it’s nested a few levels deep… so I found a snippet of code that would easily decode/decrypt it.
The script turned out to be a modified version of c99madshell, specifically focused on WordPress hi-jacks. The script tries to inject a small trojan code into one of the core WP files (for me it was the “wp-blog-header.php“). I removed the hi-jacked code, along with the “simple.php” file (from my theme folder) - then re-upgraded to the latest WordPress (2.6) … just to overwrite any other tampered files.
Hopefully this should be the end of this matter (until next time) …. I’ll be keeping a careful eye on my WordPress installations now on.
Thanks for letting me know about the hack on my Blog Lee, I wouldn’t have even known if you hadn’t told me!
I’m losing a bit of faith with WordPress, how the hell can php script be violated, more than that, the simple.php code that got added, was that new code or is there a string entitled that by default and it was overwritten? If it isn’t part of the WordPress system then surely there should be code in place to check for extra strings within the database and flag up a warning if new code is added at least?!
In this day and age upgrading should be a lot less of a hassle as well, seems things haven’t advanced that far concerning upgrading since the time I’ve been messing with websites/code, that’s a good 7 years or so!
Ah well rant over, here’s hoping the latest version alleviates my grief with this thing lately, thanks again for your input Lee, that could have gotten out of hand big time on my site, as you say, checking for this stuff isn’t high on my priorities and we shouldn’t have to worry about it these days.
Shane
12 Aug 08 at 11:58 pm
How many times do people need to have their wordpress hacked before they realize it’s an insecure piece of shit?
CrustyAdmin
15 Aug 08 at 6:55 am
Once maybe?
It’s a vicious circle… The more popular WordPress becomes, the bigger the target for crackers, hackers and spammers. It’s a victim of it’s own success.
Once bitten, twice shy. Yes. Although the benefits of WordPress (compared to other blogging software I’ve used) far outweigh my need to have a 100% hardened blog/website.
That’s the gamble that WordPress users are willing to take.
Lee Kelleher
15 Aug 08 at 8:10 am
I guess as I see it it’s not worth the hassle. Blogger and WordPress.com both offer blogs with your own domain. At least then they have to take care of the patches and problems. BLogger can be ftp to your own host as well if you prefer to host your own.
Your right though, with WP everyone is so taken by the fact that there are a gazillion cool plugins, they over look security problems.
resistancetrainer
24 Aug 08 at 6:32 am
[...] think this is no big deal here is a few links for you.. Al Gore’s Blog Hacked | WordPress Hacked My WordPress hacked by c99madshell script Lee Kelleher’s Weblog For those of you that dont know what a c99 file is then I will explain it in simple terms. [...]
Step By Step Guide for WordPress Total Security (Hacker Free) what would you pay ?
3 Oct 08 at 3:39 am
@resistancetrainer exactly! That’s why my blog is at WordPress.com with a custom domain… hassle free blogging (when I get around to doing it).
Lee Kelleher
5 Nov 08 at 1:34 pm