Fix the latest WordPress hack

Warning: this content is older than 365 days. It may be out of date and no longer relevant.

Latest update to this is at the bottom of the post.

Both Marketing Over Coffee and my blog are getting nailed with this hack described by Chris Pearson.

Here’s the solution for tackling it, for the moment, until the attack adapts. Log into your MySQL database (most hosts have this via PHPmyAdmin) and execute this query:

SELECT * FROM `csp891_options` where option_name like ‘rss%’ ORDER BY `csp891_options`.`option_name` ASC

You should see only a few entries unless you use syndication software like SimplePie. What you’re looking for is an entry that starts with rss_ and then some random numbers. The text of the entry is encoded javascript, which looks like this:

FFPJ1JpnyfUnpDzz3h9tfaI92uDvyD/Of+r4XyJ2f2Uev6U539WDM39kP10QFLP53+Y5BaX3+0/a03rZ0
0nKX5Na27hXdOSw17TGuO7pDWt/+Na0+lVHHdrWrScqzVqdysqybmiWvILqqXzn5L+ehyvSzriIZHsf
oIiUKwlJvcjvH69FR7SHB4UNXyXOaZw+ivT8dhjkZ6rtGj+PPJRMlCW5ePEZVlLOj8YkgL80/26Luefq
VXgStMY/Afw/

which goes on and on for a bit.

Delete this entry. It should be safe to do so (back up your WordPress first).

Keep an eye on your MySQL database as well for this entry to reoccur since no one is sure how this hack is happening, just that it is.

UPDATE 4/9:

This hack is recurring almost daily. I’m not sure what the entry point is. That said, I have two suspicions I’m testing right now. The first is a note from reader Ivan Walsh who said that I’m getting some bizarre images in my image loader on the front page of the blog. That image stuff is controlled by TimThumb via this theme, so I patched TimThumb manually from their SVN repository to the latest version 1.12. We’ll see if that makes a difference there.

The second update I made is based on a hunch from the database hack itself – it’s inserting as an RSS option. Here’s the thing, which users of FeedWordpress know but not necessarily everyone else – WordPress ships with a version of Magpie. An old, out of date, broken version. If you grab the FeedWordpress plugin from the Codex and follow JUST the Magpie upgrade install, this should get those two files, rss.php and rss-functions.php, up to date. Again, we’ll see if this makes a difference.

For those other folks getting hacked – are you using TimThumb? Have you patched rss.php and rss-functions.php? Any more success or failure?

UPDATE 4/12:

Neither updating TimThumb nor Magpie made a difference. The hacked string showed up in the database not an hour after. So, now using some .htaccess mojo to lock down wp-admin. We’ll see if this works.

UPDATE 4/12:

After slapping .htaccess on wp-admin, the hack is still re-occurring. The plot thickens.

UPDATE 4/13:

Cautious optimism. Here’s what I’ve done in the last 24 hours since I received a warning via Google’s Webmaster tools that my site has been pulled from their index for cloaking.

  • Installed the Secure WordPress plugin and turned all options on.
  • Renamed all database table prefixes (which was fairly unpleasant to do by hand)
  • Drop all non-essential tables (especially leftovers from old plugins)
  • Removed a bunch of plugins I’m not using any more
  • Reinstalled a fresh copy of WordPress
  • Upgraded my theme to the latest release
  • Fixed lingering file permissions highlighted by the WP Security Scan plugin
  • Run an optimize on all remaining tables in MySQL

So far, I’m cautiously optimistic – the RSS data entry has not reappeared yet, and it’s been nearly instantaneous in the past.

UPDATE 4/14:

So far, the hack has not re-occurred. Also, Matt from WordPress has come out with an official statement saying that this is a server-level hack, which means that you need to strictly enforce permissions and set wp-config.php to 640 as well as tighten down any other file-based permissions. That makes total sense as the database information is encoded in wp-config.php, so make sure that’s locked down.

So, the recipe for the time being seems to be to lock down permissions using some of the many security plugins out there, tighten down wp-options.php, clean up your database using MySQL’s tools (or phpMyAdmin, depending on your host), and keep an eye on things. If your site runs clean, then make sure that you log into Google’s Webmaster Tools and submit your site for reinclusion in Google’s index. If you kept confidential customer information on your web site, you MUST assume it has been compromised and notify customers as appropriate.

I’ll add this last bit in: I have absolutely no capacity to offer any kind of help, unfortunately, to folks who have had this happen to them. That said, my assistant, someone, is able to help you out with this if you can’t do it yourself.


Did you enjoy this blog post? If so, please subscribe right now!

Fix the latest Wordpress hack 1 Fix the latest Wordpress hack 2 Fix the latest Wordpress hack 3

Get this and other great articles from the source at www.ChristopherSPenn.com! Want to take your conference or event to the next level? Book me to speak and get the same quality information on stage as you do on this blog.


Comments

63 responses to “Fix the latest WordPress hack”

  1. […] Christopher S. Penn describes how to find and remove the WP hack in this post. […]

  2. […] had a post about the problem and recently also introduced a fix from Christopher S. Penn. I had previously removed any obvious references to viagra and other drugs from the database using […]

  3. It´s great to get wind of this #wordpress security issue by reading your blog by sheer (&delightful) chance, however I´m suprised that @wordpress on Twitter doesn´t talk about this. Even internet brands need to step outside their comfort zone boltholes to communicate widely. (I´m sure I´ll now get spanked that it was published in some bug what not IRC channel or whatever obscure geek backwater…)

  4. It´s great to get wind of this #wordpress security issue by reading your blog by sheer (&delightful) chance, however I´m suprised that @wordpress on Twitter doesn´t talk about this. Even internet brands need to step outside their comfort zone boltholes to communicate widely. (I´m sure I´ll now get spanked that it was published in some bug what not IRC channel or whatever obscure geek backwater…)

  5. your rotating image is showing code again…

  6. your rotating image is showing code again…

  7. […] several prominent sites and dozens if not hundreds of others. Thankfully, Christopher Penn shared how to clean up the virus. The hack was covered on ThemeLab.com including details about it in the video […]

  8. Just a quick thing that may be worth noting – if you copy and paste the SQL code from this page, it won't work because of WordPress converting the quotation marks to smart quotes.

  9. Just a quick thing that may be worth noting – if you copy and paste the SQL code from this page, it won’t work because of WordPress converting the quotation marks to smart quotes.

  10. mwaterous Avatar
    mwaterous

    @author,

    I'm not a security expert, but it might be worthwhile to download a copy of your WP installation, install a clean copy and then run a diff against both to look for injected code or files that shouldn't be there. You could probably use software like WinMerge if you're on MS locally.

    @Paul,

    This is because they're looking into it. The code of conduct for WordPress is that hacks and security breaches are to be reported to [email protected], as per this FAQ. Until it is a) confirmed that it is a WordPress security breach and not just a lack of security on the host, and b) a fix is found they prefer not to advertise it and basically invite all the script kiddiez in the realm to try their hand at it.

  11. @author,

    I’m not a security expert, but it might be worthwhile to download a copy of your WP installation, install a clean copy and then run a diff against both to look for injected code or files that shouldn’t be there. You could probably use software like WinMerge if you’re on MS locally.

    @Paul,

    This is because they’re looking into it. The code of conduct for WordPress is that hacks and security breaches are to be reported to [email protected], as per this FAQ. Until it is a) confirmed that it is a WordPress security breach and not just a lack of security on the host, and b) a fix is found they prefer not to advertise it and basically invite all the script kiddiez in the realm to try their hand at it.

  12. Do you think it could caused by a backdoor in a plugin? I know we all download and install tons of plugins, but how often does anyone review the source code for one of them to see if there are any security issues with it?

  13. Do you think it could caused by a backdoor in a plugin? I know we all download and install tons of plugins, but how often does anyone review the source code for one of them to see if there are any security issues with it?

  14. It would be nice if you dated your posts so we can tell if you are talking about now or history

  15. I tried to execute the query but it didn't work. What am I doing wrong? http://twitpic.com/1eqrt4

  16. It would be nice if you dated your posts so we can tell if you are talking about now or history

  17. I tried to execute the query but it didn't work. What am I doing wrong? http://twitpic.com/1eqrt4

  18. It looks like your options table might not be named csp891_options?

  19. It looks like your options table might not be named wp_options?

  20. I had my site hacked and a backdoor placed in wp-content/themes/default/xmlrp.php
    Everyone should do a grep for base64 encoded content in php files. That's what I found.

  21. I had my site hacked and a backdoor placed in wp-content/themes/default/xmlrp.php
    Everyone should do a grep for base64 encoded content in php files. That's what I found.

  22. My options table is named csp891_options

  23. My options table is named wp_options

  24. I've read the fix to be related to permissions on the wp-config.php file. Generally most hosts don't install this with a high level of protection. Set your file permission to 640 (owner: rw, group: r, everyone:nill), then change your database password, and then clean out the malicious code. See if that helps.

  25. several people I have point this site to have said linking to it attempts to install maleware on thier computer – FYI

  26. Yes, part of the hack. Hopefully, I've finally nailed the sucker.

  27. Good suggestion, i'll throw that in.

  28. […] ghacks.net story * Trend Micro Coverage * Network Solutions * Christopher S Penn’s Coverage […]

  29. gravity Avatar
    gravity

    I didn't have this hack according to your identification method with the bizarre RSS% entry.

    I'm on a dedicated server, which is hardened by LiquidWeb before commissioning, and on which I had already changed the db prefix from default, already had “Login Lockdown” plugin installed and passed all of the “WP Security Scan” checks.

    I did install “Secure WordPress” though, regardless.

    I have no idea if I'm immune or just lucky, and sorry to hear about the troubles you had.

  30. I've read the fix to be related to permissions on the wp-config.php file. Generally most hosts don't install this with a high level of protection. Set your file permission to 640 (owner: rw, group: r, everyone:nill), then change your database password, and then clean out the malicious code. See if that helps.

  31. several people I have point this site to have said linking to it attempts to install maleware on thier computer – FYI

  32. Yes, part of the hack. Hopefully, I've finally nailed the sucker.

  33. Good suggestion, i'll throw that in.

  34. Hi Chris,

    I've had a hack on one of my wife's blogs for a couple of months, since v2.7 I think. It's almost a daily battle. It started with a user access that left a comment. It's been locked down, but still keeps getting compromised. I've gone into the MySQL with both PHPAdmin, HeidiSQL and other tools to sniff out the problem. I've read somewhere that there is a way to mask an entry so that PHPAdmin doesn't “see” it. Something about creating a table that doesn't show up in the SQL tools.

    So, I've moved all of my, and my client's blogs, websites, everything, off WordPress. I first got that idea from Robert Scoble. It was a painful decision that took a couple of weeks to make (while I cleaned websites daily), and more weeks to accomplish. Here's the link http://scobleizer.com/2009/09/05/i-dont-feel-sa…. Also, in his comments, someone pointed out the PHPAdmin vulnerability.

    I'm not being an alarmist, I just feel like I would rather spend my time on more productive things than battling it out with a server somewhere half-way-around-the-globe that is trying to infect my website.

  35. gravity Avatar
    gravity

    I didn’t have this hack according to your identification method with the bizarre RSS% entry.

    I’m on a dedicated server, which is hardened by LiquidWeb before commissioning, and on which I had already changed the db prefix from default, already had “Login Lockdown” plugin installed and passed all of the “WP Security Scan” checks.

    I did install “Secure WordPress” though, regardless.

    I have no idea if I’m immune or just lucky, and sorry to hear about the troubles you had.

  36. The last time there was a major WP hack, I found the backdoor into my site was a php file in all of my images folders (between the plugins, themes, and uploads, there were a lot). So until I deleted those, it kept re-inserting the code every chance it got.

  37. I had the exact same problem, with the same injected rss_ field in my wp_options table. After digging around forever, changing passwords, updating wordpress, changing database permissions and splitting out database users, deleting spam comments, disabling various wp-include files, etc. it ended up being the WP-Super Cache plugin. I deleted the plugin directory (after being prompted that I didn’t have permissions to do so), and deleted that injected rss record, and it hasn’t come back in 17 hours.

  38. The last time there was a major WP hack, I found the backdoor into my site was a php file in all of my images folders (between the plugins, themes, and uploads, there were a lot). So until I deleted those, it kept re-inserting the code every chance it got.

  39. […] II: The RSS file seems to have been the culprit for several other sites as well. Christopher Penn (it seems this hacker picked the wrong Christophers to mess with) has a tip on how to fix […]

  40. Great tip, but how can I search specifically for base64 encoded content?

  41. Great tip, but how can I search specifically for base64 encoded content?

  42. One thing that you didn't mention was changing the secret keys. If the attackers were able to login at that time, they might still have access via the old cookies. So change the keys asap. This link explains:

    http://sucuri.net/?page=docs&title=changing-wor

  43. One thing that you didn't mention was changing the secret keys. If the attackers were able to login at that time, they might still have access via the old cookies. So change the keys asap. This link explains:

    http://sucuri.net/?page=docs&title=changing-wor

  44. So this is a tricky one. Friend of mine's site has this issue and she gave me ftp and a sql dump to look at.

    Found in the /wp-content/themes/index.php was some code added (posted here: http://pastebin.com/imT841ph )

    Also, I removed about 4 rss.php files from the root… didn't look in them before I trashed em

    Database: Removed csp891_options
    INSERT INTO csp891_options
    VALUES (49369, 0, rss_7988287cd8f4f531c6b94fbdbc4e1caf, rL1bjvTKkqU3lx6B3y+1R9OQGsKBBEhQS0/Cmb……… goes on forever

    So what that does is, when viewed with google bot, it removes the drug names from the posts but leaves numbers all over the site… like 50303 between text, at the top of the page, all over the place… and some or all body text is strike or line-through; in css….
    So it seems removing that only removes part of it…. because within minutes – the drug names are back in and the numbers all over are gone and it starts over.

    I've changed the security keys in wp-config…
    I've chmodded everything to proper
    I've removed both wp-admin and wp-includes directory, and uploaded fresh from source

    My next move for them is to install a fresh version of WP, take that csp891_options table and completely wipe the one they're using now and use the new one. Reinstall the plugins and reset up the settings… In theory that should work.

    They have so much old plugin data in the sql file I can hardly get through it all… Hopefully that works.

  45. 2nd post…. actually found more crap in the database

    search options table for these:

    csp891_check_hash
    class_generic_support
    rss_%
    widget_generic_support

    They all have a TON of encoded crap in them and are not native to WP… the last one widget_generic_support didn't have any data in it but isn't supposed to be there

    Also found, after I found these, this post which also says to check your akismet plugin directory for xtra files.
    http://www.pearsonified.com/2010/04/wordpress-p

    Cheers guys – hope that helps

  46. 2nd post…. actually found more crap in the database

    search options table for these:

    wp_check_hash
    class_generic_support
    rss_%
    widget_generic_support

    They all have a TON of encoded crap in them and are not native to WP… the last one widget_generic_support didn’t have any data in it but isn’t supposed to be there

    Also found, after I found these, this post which also says to check your akismet plugin directory for xtra files.
    http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php

    Cheers guys – hope that helps

  47. So this is a tricky one. Friend of mine's site has this issue and she gave me ftp and a sql dump to look at.

    Found in the /wp-content/themes/index.php was some code added (posted here: http://pastebin.com/imT841ph )

    Also, I removed about 4 rss.php files from the root… didn't look in them before I trashed em

    Database: Removed wp_options
    INSERT INTO wp_options
    VALUES (49369, 0, rss_7988287cd8f4f531c6b94fbdbc4e1caf, rL1bjvTKkqU3lx6B3y+1R9OQGsKBBEhQS0/Cmb……… goes on forever

    So what that does is, when viewed with google bot, it removes the drug names from the posts but leaves numbers all over the site… like 50303 between text, at the top of the page, all over the place… and some or all body text is strike or line-through; in css….
    So it seems removing that only removes part of it…. because within minutes – the drug names are back in and the numbers all over are gone and it starts over.

    I've changed the security keys in wp-config…
    I've chmodded everything to proper
    I've removed both wp-admin and wp-includes directory, and uploaded fresh from source

    My next move for them is to install a fresh version of WP, take that wp_options table and completely wipe the one they're using now and use the new one. Reinstall the plugins and reset up the settings… In theory that should work.

    They have so much old plugin data in the sql file I can hardly get through it all… Hopefully that works.

    1. Chuck, I’m having the same issue – I cannot find what must be the last bad file/insert, security keys changed, chmodded everything, removed bad wp_options, &c.

      I still have the random text (1a 6b 347 …) spread throughout the version of my pages pulled by SE bots…

      did you find anything else?

  48. so the entry in options table is not coming back but the strike text and random numbers all over the visible area is still happening while viewing as google bot.

    No time to look at it cause i'm traveling but they got somebody else helping out – hopefully he can figure out the rest of it. IF so I'll post it here

  49. so the entry in options table is not coming back but the strike text and random numbers all over the visible area is still happening while viewing as google bot.

    No time to look at it cause i'm traveling but they got somebody else helping out – hopefully he can figure out the rest of it. IF so I'll post it here

  50. Holy crap.. I haven't had this happen to me, but after reading all the crap you went through, I hope it never does. Man…. I'm guessing since you're blog is still up, you got it sorted, so grats, but damn, I feel really sorry for you.

  51. Holy crap.. I haven't had this happen to me, but after reading all the crap you went through, I hope it never does. Man…. I'm guessing since you're blog is still up, you got it sorted, so grats, but damn, I feel really sorry for you.

  52. […] WordPress being hacked right at the same time I activated it … Some reading here, and here. Anyone running WP suffered this hack? How did you solve […]

  53. Ok, I had this issue too and it kept coming back. Every time I went into Google Webmaster Tools and did a “Fetch As Google Bot” it came up with the stupid hacked stuff still there.

    Finally, I did this:

    SELECT * FROM `csp891_options` WHERE option_value LIKE '%pharm%'

    I found another entry with a lot of other cache junk. When I deleted it, immediately it was removed from google webmaster tools “fetch as google bot”. Now, it's only been a few minutes so I'll come back tomorrow and let you know if it's gone for good. Gosh I hope this is it. This has been a nightmare!

  54. Ok, I had this issue too and it kept coming back. Every time I went into Google Webmaster Tools and did a “Fetch As Google Bot” it came up with the stupid hacked stuff still there.

    Finally, I did this:

    SELECT * FROM `wp_options` WHERE option_value LIKE '%pharm%'

    I found another entry with a lot of other cache junk. When I deleted it, immediately it was removed from google webmaster tools “fetch as google bot”. Now, it's only been a few minutes so I'll come back tomorrow and let you know if it's gone for good. Gosh I hope this is it. This has been a nightmare!

  55. Just wanted to say thanks. Same thing happened to me and it took a bit of googling to find the right solution. You lead me down the right path and I think I'm fixed up now. Cheers.

  56. Just wanted to say thanks. Same thing happened to me and it took a bit of googling to find the right solution. You lead me down the right path and I think I'm fixed up now. Cheers.

  57. Just wanted to say thanks. Same thing happened to me and it took a bit of googling to find the right solution. You lead me down the right path and I think I'm fixed up now. Cheers.

  58. […] Solutions or VPS.net indicated that the attack was not web hoster specific.Fast forward to April 6. Christopher Penn discovered that his blog had been compromised. He found out that the hack on his site injected a […]

  59. […] want to thank the following people who made things a bit easier for us: This article by Chris outlining his recovery from a hack, the superb help by Sucuri and great support from […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest

Shares
Share This