To my greatest surprise, I discovered this blog running on wordpress had been hacked! It started off with a Google quest to find out how my search terms ranked up on the web when I came across a bunch of webpages that where under my domain name. I had no clue where the pages where or how they got on my server. It was basically www.mydomain.com/?solution=9 and other pages of that sort. After an hour or two of digging on the web with no easy explanation or result I finally figured it out!
THE HACK
Basically some malicious code was injected into the top of most or all of my PHP pages in the directory. The code looked something like.
<? /**/eval(base64_decode(’fsfsdfsdfsdfdsfsdfsdfdf’’)); ?>
The gibberish in quotes above was actually a lot longer than that. Unfortunately, this is actually a pretty smart and cool hack , because to the ordinary eyes the text in the quotes simply means nothing. But to a super eye, that being a computer, BASE64 is actually an encryption algorithm which can be decrypted, that is translated to mean something. In my case that something was a PHP string that input a DIV which contained some advertising of medicine and others. This appeared in multiple pages on my site and hence gave the hackers free webhosting space on my site. My database was also compromised as I looked through it I found some RSS entries in them, which could basically give the hackers the ability to update their content seamlessly.
SOLUTION
There will be two stages in solving this kind of hack 1. Investigating 2. Solving
STAGE 1(Investigating):
First thing you need to do is to figure out which file gave the hackers an entry or backdoor into you site. In my case I realized it was a completely unrelated directory of old codes that I unfortunately did not protect.
TIP: If you own a web server or web hosting space, it might be a good idea to archive old material in a directory that cannot be accessed publicly. Ways to do this could be to remove it from PUBLIC_HTML folder or otherwise remove all read, write and execute permissions from the directory.
The way I figured out the file that was the entry for the hackers was to decode the [base64] code. You can use this website to do this. Just copy the string inside the quotes and paste it in the website which should give you the decrypted version. Once decrypted, this showed me the location of the file that was being used to compromise my site.
As soon as you find the file there are two things to do:
1. REMOVE IT FROM YOUR SERVER(If you are not sure what the file is, backup it up and REMOVE IT)
2. Investigate that directory for other compromised files.
If you absolutely do not need a file or a bunch of files get rid of them. People tend to cling on to old things in life, in the case of geeks(not me) , its old files programs, computer games and software. Why would you want to still play that ATARI or [Nintendo] ever heard of [High Definition]?
STAGE 2 (Solving)
There are two ways to go about this, one would be cleaning up the mess left by the hackers (not recommended) or deleting and starting afresh (recommended).
Option 1(not recommended)
Unless your site has heavy traffic or has a lot of data in it I would just recommend starting afresh because you do not have a clue which other holes have been made on your site, it’s just simply the safest route to go. What you will want to do is make a copy of your database and files on your server for backups. You can then proceed to clean up the mess and if anything goes wrong, and then you will always have a backup. You can use tools like [textpad] find in files features of automatically search within all the files in the folder for a code.
Option 2(recommended)
Make a backup of all your files and database. When this is done, reinstall whatever script you are using, in my case wordpress. Make sure you install the latest versions and you constantly check for updates. You want to make a list of all modules and plugin’s installed if any so this can be reinstalled on the new site. You might also want to check and copy the settings from the old site to the new one.
TIP:Using phpMyadmin if your server allows access to it, you can make a copy of the database, that is, you can rename it database_name2. This can also be done with the site, like, sitename2. You can edit the configuration file to point to the copied database.
You can look through your database tables such as the ones that contain you post, categories, and make sure there is no funny code in them. You can then restore them to the new site installation. What I personally did was going table by table, once verified, I used Insert commands to input the data back into the table.
ADVICE:*Legacy is a bad word, Upgrade and check for updates
* Don’t leave yourself open to compromise, delete or protect unused directories on you server.
Please visit the following websites for additional resources and instructions on how to solve this problems. Dont get hacked again!
http://mikedemers.net/2008/07/16/wordpress-blog-hacked-by-spammer/
http://wordpress.org/support/topic/199810
http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx
http://www.mydigitallife.info/2008/06/10/wordpress-hack-recover-and-fix-google-and-search-engine-or-no-cookie-traffic-redirected-to-your-needsinfo-anyresultsnet-golden-infonet-and-other-illegal-sites/
Related Articles
3 users responded in this post
This is really interesting. My favorite phrase was: “Unfortunately, this is actually a pretty smart and cool hack…” Only you would say something like that!
“Why would you want to still play that [ATARI] or [Nintendo] ever heard of [High Definition]?”
Because some of the best and original games came out on those consoles? Games that people have grown up playing?
I really like this blog good job.
Leave A Reply