Fix the latest WordPress hack

Latest update to this is at the bottom of the post.

Both Marketing Over Coffee and my blog are getting nailed with this hack described by Chris Pearson.

Here’s the solution for tackling it, for the moment, until the attack adapts. Log into your MySQL database (most hosts have this via PHPmyAdmin) and execute this query:

SELECT * FROM `csp891_options` where option_name like ‘rss%’ ORDER BY `csp891_options`.`option_name` ASC

You should see only a few entries unless you use syndication software like SimplePie. What you’re looking for is an entry that starts with rss_ and then some random numbers. The text of the entry is encoded javascript, which looks like this:

FFPJ1JpnyfUnpDzz3h9tfaI92uDvyD/Of+r4XyJ2f2Uev6U539WDM39kP10QFLP53+Y5BaX3+0/a03rZ0
0nKX5Na27hXdOSw17TGuO7pDWt/+Na0+lVHHdrWrScqzVqdysqybmiWvILqqXzn5L+ehyvSzriIZHsf
oIiUKwlJvcjvH69FR7SHB4UNXyXOaZw+ivT8dhjkZ6rtGj+PPJRMlCW5ePEZVlLOj8YkgL80/26Luefq
VXgStMY/Afw/

which goes on and on for a bit.

Delete this entry. It should be safe to do so (back up your WordPress first).

Keep an eye on your MySQL database as well for this entry to reoccur since no one is sure how this hack is happening, just that it is.

UPDATE 4/9:

This hack is recurring almost daily. I’m not sure what the entry point is. That said, I have two suspicions I’m testing right now. The first is a note from reader Ivan Walsh who said that I’m getting some bizarre images in my image loader on the front page of the blog. That image stuff is controlled by TimThumb via this theme, so I patched TimThumb manually from their SVN repository to the latest version 1.12. We’ll see if that makes a difference there.

The second update I made is based on a hunch from the database hack itself – it’s inserting as an RSS option. Here’s the thing, which users of FeedWordpress know but not necessarily everyone else – WordPress ships with a version of Magpie. An old, out of date, broken version. If you grab the FeedWordpress plugin from the Codex and follow JUST the Magpie upgrade install, this should get those two files, rss.php and rss-functions.php, up to date. Again, we’ll see if this makes a difference.

For those other folks getting hacked – are you using TimThumb? Have you patched rss.php and rss-functions.php? Any more success or failure?

UPDATE 4/12:

Neither updating TimThumb nor Magpie made a difference. The hacked string showed up in the database not an hour after. So, now using some .htaccess mojo to lock down wp-admin. We’ll see if this works.

UPDATE 4/12:

After slapping .htaccess on wp-admin, the hack is still re-occurring. The plot thickens.

UPDATE 4/13:

Cautious optimism. Here’s what I’ve done in the last 24 hours since I received a warning via Google’s Webmaster tools that my site has been pulled from their index for cloaking.

  • Installed the Secure WordPress plugin and turned all options on.
  • Renamed all database table prefixes (which was fairly unpleasant to do by hand)
  • Drop all non-essential tables (especially leftovers from old plugins)
  • Removed a bunch of plugins I’m not using any more
  • Reinstalled a fresh copy of WordPress
  • Upgraded my theme to the latest release
  • Fixed lingering file permissions highlighted by the WP Security Scan plugin
  • Run an optimize on all remaining tables in MySQL

So far, I’m cautiously optimistic – the RSS data entry has not reappeared yet, and it’s been nearly instantaneous in the past.

UPDATE 4/14:

So far, the hack has not re-occurred. Also, Matt from WordPress has come out with an official statement saying that this is a server-level hack, which means that you need to strictly enforce permissions and set wp-config.php to 640 as well as tighten down any other file-based permissions. That makes total sense as the database information is encoded in wp-config.php, so make sure that’s locked down.

So, the recipe for the time being seems to be to lock down permissions using some of the many security plugins out there, tighten down wp-options.php, clean up your database using MySQL’s tools (or phpMyAdmin, depending on your host), and keep an eye on things. If your site runs clean, then make sure that you log into Google’s Webmaster Tools and submit your site for reinclusion in Google’s index. If you kept confidential customer information on your web site, you MUST assume it has been compromised and notify customers as appropriate.

I’ll add this last bit in: I have absolutely no capacity to offer any kind of help, unfortunately, to folks who have had this happen to them. That said, my assistant, Chel Wolverton, is able to help you out with this if you can’t do it yourself.


Did you enjoy this blog post? If so, please subscribe right now!

Get this and other great articles from the source at www.ChristopherSPenn.com! Want to take your conference or event to the next level? Book me to speak and get the same quality information on stage as you do on this blog.

  • Pingback: New Wordpress Hack » jon davito | no sotto voce()

  • Pingback: Important: Fix for Recent WordPress Google Index Cloaking Hack » Radish!()

  • http://paulgailey.com/ Paul Gailey

    It´s great to get wind of this #wordpress security issue by reading your blog by sheer (&delightful) chance, however I´m suprised that @wordpress on Twitter doesn´t talk about this. Even internet brands need to step outside their comfort zone boltholes to communicate widely. (I´m sure I´ll now get spanked that it was published in some bug what not IRC channel or whatever obscure geek backwater…)

  • http://paulgailey.com/ Paul Gailey

    It´s great to get wind of this #wordpress security issue by reading your blog by sheer (&delightful) chance, however I´m suprised that @wordpress on Twitter doesn´t talk about this. Even internet brands need to step outside their comfort zone boltholes to communicate widely. (I´m sure I´ll now get spanked that it was published in some bug what not IRC channel or whatever obscure geek backwater…)

  • http://www.ivanwalsh.com Ivan Walsh

    your rotating image is showing code again…

  • http://www.ivanwalsh.com Ivan Walsh

    your rotating image is showing code again…

  • Pingback: WordPress Hacked! Virus Cloaks Search Engines — TECH cocktail()

  • http://www.zone38.net/ codeman38

    Just a quick thing that may be worth noting – if you copy and paste the SQL code from this page, it won't work because of WordPress converting the quotation marks to smart quotes.

  • http://www.zone38.net/ codeman38

    Just a quick thing that may be worth noting – if you copy and paste the SQL code from this page, it won't work because of WordPress converting the quotation marks to smart quotes.

  • mwaterous

    @author,

    I'm not a security expert, but it might be worthwhile to download a copy of your WP installation, install a clean copy and then run a diff against both to look for injected code or files that shouldn't be there. You could probably use software like WinMerge if you're on MS locally.

    @Paul,

    This is because they're looking into it. The code of conduct for WordPress is that hacks and security breaches are to be reported to [email protected], as per this FAQ. Until it is a) confirmed that it is a WordPress security breach and not just a lack of security on the host, and b) a fix is found they prefer not to advertise it and basically invite all the script kiddiez in the realm to try their hand at it.

  • mwaterous

    @author,

    I'm not a security expert, but it might be worthwhile to download a copy of your WP installation, install a clean copy and then run a diff against both to look for injected code or files that shouldn't be there. You could probably use software like WinMerge if you're on MS locally.

    @Paul,

    This is because they're looking into it. The code of conduct for WordPress is that hacks and security breaches are to be reported to [email protected], as per this FAQ. Until it is a) confirmed that it is a WordPress security breach and not just a lack of security on the host, and b) a fix is found they prefer not to advertise it and basically invite all the script kiddiez in the realm to try their hand at it.

  • http://twitter.com/andrewstrader Andrew Strader

    Do you think it could caused by a backdoor in a plugin? I know we all download and install tons of plugins, but how often does anyone review the source code for one of them to see if there are any security issues with it?

  • http://twitter.com/andrewstrader Andrew Strader

    Do you think it could caused by a backdoor in a plugin? I know we all download and install tons of plugins, but how often does anyone review the source code for one of them to see if there are any security issues with it?

  • http://www.njnnetwork.com/ Stephen Pate

    It would be nice if you dated your posts so we can tell if you are talking about now or history

  • http://twitter.com/MillerMosaicLLC Yael K. Miller

    I tried to execute the query but it didn't work. What am I doing wrong? http://twitpic.com/1eqrt4

  • http://www.njnnetwork.com/ Stephen Pate

    It would be nice if you dated your posts so we can tell if you are talking about now or history

  • http://twitter.com/MillerMosaicLLC Yael K. Miller

    I tried to execute the query but it didn't work. What am I doing wrong? http://twitpic.com/1eqrt4

  • http://www.ChristopherSPenn.com Christopher S. Penn

    It's now. For now.

  • http://www.ChristopherSPenn.com Christopher S. Penn

    It looks like your options table might not be named csp891_options?

  • http://www.ChristopherSPenn.com Christopher S. Penn

    It's now. For now.

  • http://www.ChristopherSPenn.com Christopher S. Penn

    It looks like your options table might not be named wp_options?

  • Rafael

    I had my site hacked and a backdoor placed in wp-content/themes/default/xmlrp.php
    Everyone should do a grep for base64 encoded content in php files. That's what I found.

  • Rafael

    I had my site hacked and a backdoor placed in wp-content/themes/default/xmlrp.php
    Everyone should do a grep for base64 encoded content in php files. That's what I found.

  • http://twitter.com/MillerMosaicLLC Yael K. Miller

    My options table is named csp891_options

  • http://twitter.com/MillerMosaicLLC Yael K. Miller

    My options table is named wp_options

  • http://webandyou.avelient.com Mariano

    I've read the fix to be related to permissions on the wp-config.php file. Generally most hosts don't install this with a high level of protection. Set your file permission to 640 (owner: rw, group: r, everyone:nill), then change your database password, and then clean out the malicious code. See if that helps.

  • JD

    several people I have point this site to have said linking to it attempts to install maleware on thier computer – FYI

  • http://www.ChristopherSPenn.com Christopher S. Penn

    Yes, part of the hack. Hopefully, I've finally nailed the sucker.

  • http://www.ChristopherSPenn.com Christopher S. Penn

    Good suggestion, i'll throw that in.

  • Pingback: beafraid.com » unplanned maintenance()

  • gravity

    I didn't have this hack according to your identification method with the bizarre RSS% entry.

    I'm on a dedicated server, which is hardened by LiquidWeb before commissioning, and on which I had already changed the db prefix from default, already had “Login Lockdown” plugin installed and passed all of the “WP Security Scan” checks.

    I did install “Secure WordPress” though, regardless.

    I have no idea if I'm immune or just lucky, and sorry to hear about the troubles you had.

  • http://webandyou.avelient.com Mariano

    I've read the fix to be related to permissions on the wp-config.php file. Generally most hosts don't install this with a high level of protection. Set your file permission to 640 (owner: rw, group: r, everyone:nill), then change your database password, and then clean out the malicious code. See if that helps.

  • JD

    several people I have point this site to have said linking to it attempts to install maleware on thier computer – FYI

  • http://www.ChristopherSPenn.com Christopher S. Penn

    Yes, part of the hack. Hopefully, I've finally nailed the sucker.

  • http://www.ChristopherSPenn.com Christopher S. Penn

    Good suggestion, i'll throw that in.

  • http://carlislegrp.com/blog CarlisleGroup

    Hi Chris,

    I've had a hack on one of my wife's blogs for a couple of months, since v2.7 I think. It's almost a daily battle. It started with a user access that left a comment. It's been locked down, but still keeps getting compromised. I've gone into the MySQL with both PHPAdmin, HeidiSQL and other tools to sniff out the problem. I've read somewhere that there is a way to mask an entry so that PHPAdmin doesn't “see” it. Something about creating a table that doesn't show up in the SQL tools.

    So, I've moved all of my, and my client's blogs, websites, everything, off WordPress. I first got that idea from Robert Scoble. It was a painful decision that took a couple of weeks to make (while I cleaned websites daily), and more weeks to accomplish. Here's the link http://scobleizer.com/2009/09/05/i-dont-feel-sa…. Also, in his comments, someone pointed out the PHPAdmin vulnerability.

    I'm not being an alarmist, I just feel like I would rather spend my time on more productive things than battling it out with a server somewhere half-way-around-the-globe that is trying to infect my website.

  • gravity

    I didn't have this hack according to your identification method with the bizarre RSS% entry.

    I'm on a dedicated server, which is hardened by LiquidWeb before commissioning, and on which I had already changed the db prefix from default, already had “Login Lockdown” plugin installed and passed all of the “WP Security Scan” checks.

    I did install “Secure WordPress” though, regardless.

    I have no idea if I'm immune or just lucky, and sorry to hear about the troubles you had.

  • http://kikolani.com/ Kristi Hines

    The last time there was a major WP hack, I found the backdoor into my site was a php file in all of my images folders (between the plugins, themes, and uploads, there were a lot). So until I deleted those, it kept re-inserting the code every chance it got.

  • Corey

    I had the exact same problem, with the same injected rss_ field in my wp_options table. After digging around forever, changing passwords, updating wordpress, changing database permissions and splitting out database users, deleting spam comments, disabling various wp-include files, etc. it ended up being the WP-Super Cache plugin. I deleted the plugin directory (after being prompted that I didn't have permissions to do so), and deleted that injected rss record, and it hasn't come back in 17 hours.

  • http://kikolani.com/ Kristi Hines

    The last time there was a major WP hack, I found the backdoor into my site was a php file in all of my images folders (between the plugins, themes, and uploads, there were a lot). So until I deleted those, it kept re-inserting the code every chance it got.

  • Pingback: Google Cloaking Hack Targeting WordPress & How to Fix It | WPblogger()

  • http://reface.me/ dwergs

    Great tip, but how can I search specifically for base64 encoded content?

  • http://reface.me/ dwergs

    Great tip, but how can I search specifically for base64 encoded content?

  • http://sucuri.net David

    One thing that you didn't mention was changing the secret keys. If the attackers were able to login at that time, they might still have access via the old cookies. So change the keys asap. This link explains:

    http://sucuri.net/?page=docs&title=changing-wor

  • http://sucuri.net David

    One thing that you didn't mention was changing the secret keys. If the attackers were able to login at that time, they might still have access via the old cookies. So change the keys asap. This link explains:

    http://sucuri.net/?page=docs&title=changing-wor

  • http://chuckreynolds.us Chuck Reynolds

    So this is a tricky one. Friend of mine's site has this issue and she gave me ftp and a sql dump to look at.

    Found in the /wp-content/themes/index.php was some code added (posted here: http://pastebin.com/imT841ph )

    Also, I removed about 4 rss.php files from the root… didn't look in them before I trashed em

    Database: Removed csp891_options
    INSERT INTO csp891_options
    VALUES (49369, 0, rss_7988287cd8f4f531c6b94fbdbc4e1caf, rL1bjvTKkqU3lx6B3y+1R9OQGsKBBEhQS0/Cmb……… goes on forever

    So what that does is, when viewed with google bot, it removes the drug names from the posts but leaves numbers all over the site… like 50303 between text, at the top of the page, all over the place… and some or all body text is strike or line-through; in css….
    So it seems removing that only removes part of it…. because within minutes – the drug names are back in and the numbers all over are gone and it starts over.

    I've changed the security keys in wp-config…
    I've chmodded everything to proper
    I've removed both wp-admin and wp-includes directory, and uploaded fresh from source

    My next move for them is to install a fresh version of WP, take that csp891_options table and completely wipe the one they're using now and use the new one. Reinstall the plugins and reset up the settings… In theory that should work.

    They have so much old plugin data in the sql file I can hardly get through it all… Hopefully that works.

  • http://chuckreynolds.us Chuck Reynolds

    2nd post…. actually found more crap in the database

    search options table for these:

    csp891_check_hash
    class_generic_support
    rss_%
    widget_generic_support

    They all have a TON of encoded crap in them and are not native to WP… the last one widget_generic_support didn't have any data in it but isn't supposed to be there

    Also found, after I found these, this post which also says to check your akismet plugin directory for xtra files.
    http://www.pearsonified.com/2010/04/wordpress-p

    Cheers guys – hope that helps

  • http://chuckreynolds.us Chuck Reynolds

    So this is a tricky one. Friend of mine's site has this issue and she gave me ftp and a sql dump to look at.

    Found in the /wp-content/themes/index.php was some code added (posted here: http://pastebin.com/imT841ph )

    Also, I removed about 4 rss.php files from the root… didn't look in them before I trashed em

    Database: Removed wp_options
    INSERT INTO wp_options
    VALUES (49369, 0, rss_7988287cd8f4f531c6b94fbdbc4e1caf, rL1bjvTKkqU3lx6B3y+1R9OQGsKBBEhQS0/Cmb……… goes on forever

    So what that does is, when viewed with google bot, it removes the drug names from the posts but leaves numbers all over the site… like 50303 between text, at the top of the page, all over the place… and some or all body text is strike or line-through; in css….
    So it seems removing that only removes part of it…. because within minutes – the drug names are back in and the numbers all over are gone and it starts over.

    I've changed the security keys in wp-config…
    I've chmodded everything to proper
    I've removed both wp-admin and wp-includes directory, and uploaded fresh from source

    My next move for them is to install a fresh version of WP, take that wp_options table and completely wipe the one they're using now and use the new one. Reinstall the plugins and reset up the settings… In theory that should work.

    They have so much old plugin data in the sql file I can hardly get through it all… Hopefully that works.

    • http://www.coloneltiki.com Craig Hermann

      Chuck, I’m having the same issue – I cannot find what must be the last bad file/insert, security keys changed, chmodded everything, removed bad wp_options, &c.

      I still have the random text (1a 6b 347 …) spread throughout the version of my pages pulled by SE bots…

      did you find anything else?

  • http://chuckreynolds.us Chuck Reynolds

    2nd post…. actually found more crap in the database

    search options table for these:

    wp_check_hash
    class_generic_support
    rss_%
    widget_generic_support

    They all have a TON of encoded crap in them and are not native to WP… the last one widget_generic_support didn't have any data in it but isn't supposed to be there

    Also found, after I found these, this post which also says to check your akismet plugin directory for xtra files.
    http://www.pearsonified.com/2010/04/wordpress-p

    Cheers guys – hope that helps

  • http://chuckreynolds.us Chuck Reynolds

    so the entry in options table is not coming back but the strike text and random numbers all over the visible area is still happening while viewing as google bot.

    No time to look at it cause i'm traveling but they got somebody else helping out – hopefully he can figure out the rest of it. IF so I'll post it here

  • http://chuckreynolds.us Chuck Reynolds

    so the entry in options table is not coming back but the strike text and random numbers all over the visible area is still happening while viewing as google bot.

    No time to look at it cause i'm traveling but they got somebody else helping out – hopefully he can figure out the rest of it. IF so I'll post it here

  • http://www.animepalm.com/ Anime

    Holy crap.. I haven't had this happen to me, but after reading all the crap you went through, I hope it never does. Man…. I'm guessing since you're blog is still up, you got it sorted, so grats, but damn, I feel really sorry for you.

  • http://www.animepalm.com/ Anime

    Holy crap.. I haven't had this happen to me, but after reading all the crap you went through, I hope it never does. Man…. I'm guessing since you're blog is still up, you got it sorted, so grats, but damn, I feel really sorry for you.

  • Pingback: WP Super Cache Hacked and Cloaked my Site! | Take me to your Leader!()

  • Cory

    Ok, I had this issue too and it kept coming back. Every time I went into Google Webmaster Tools and did a “Fetch As Google Bot” it came up with the stupid hacked stuff still there.

    Finally, I did this:

    SELECT * FROM `csp891_options` WHERE option_value LIKE '%pharm%'

    I found another entry with a lot of other cache junk. When I deleted it, immediately it was removed from google webmaster tools “fetch as google bot”. Now, it's only been a few minutes so I'll come back tomorrow and let you know if it's gone for good. Gosh I hope this is it. This has been a nightmare!

  • Cory

    Ok, I had this issue too and it kept coming back. Every time I went into Google Webmaster Tools and did a “Fetch As Google Bot” it came up with the stupid hacked stuff still there.

    Finally, I did this:

    SELECT * FROM `wp_options` WHERE option_value LIKE '%pharm%'

    I found another entry with a lot of other cache junk. When I deleted it, immediately it was removed from google webmaster tools “fetch as google bot”. Now, it's only been a few minutes so I'll come back tomorrow and let you know if it's gone for good. Gosh I hope this is it. This has been a nightmare!

  • http://s4xton.com/ Aaron Landry

    Just wanted to say thanks. Same thing happened to me and it took a bit of googling to find the right solution. You lead me down the right path and I think I'm fixed up now. Cheers.

  • http://s4xton.com/ Aaron Landry

    Just wanted to say thanks. Same thing happened to me and it took a bit of googling to find the right solution. You lead me down the right path and I think I'm fixed up now. Cheers.

  • http://s4xton.com/ Aaron Landry

    Just wanted to say thanks. Same thing happened to me and it took a bit of googling to find the right solution. You lead me down the right path and I think I'm fixed up now. Cheers.

  • Pingback: Wordpress Hack Terrifies Webmasters()

  • Pingback: We were hacked. GoDaddy sites with WordPress Targeted | Mark8t: SEO, SEM, E-Marketing And More()