[fr] Hackée, et voilà, moi qui savais justement pas quoi faire de mon beau dimanche après-midi ensoleillé...
I’m currently battling with a hacked WordPress installation. You won’t see anything if you view source, but Google unfortunately sees a whole lot of spam right at the top of each of my pages.
Here’s some information in the hope somebody may have a bright idea to help me root out the hack.
- I’m running 3.0.3 and would like to find the source of the problem before upgrading to 3.04 (bad idea?)
- I’ve tried disabling all plugins, and the problem is still there when I do that.
- I’m using the vanilla default Twenty-Ten theme
- I’ve looked in the theme header (header.php) for anything obvious, and also in wp-content, wp-plugins, etc. for anything that looked out of place to my eyes
- I’ve run greps for base64 (anything here look suspicious?), spammy keywords, and other things I could think of
- It does not seem to be this pharma hack (have failed at finding any signs of it following the instructions there — wp_option keys, backdoor files…)
- I have searched my database for spammy keywords (also backwards) and haven’t found any aside in spam comments caught in Akismet
I will update this post as I find out more. Thanks for your suggestions.
Update: at least a partial solution… running find . -iname *.php -print0 |xargs -0 grep base64 allowed us to identify a problem in l10n.php, which was promptly replaced by a new version (evil version available on request). One of my pages as viewed by Googlebot now looks like this. So, the site is cleaner, but are there any backdoors left?
Google Webmaster Central is definitely a place to visit regularly — I would have spotted this way sooner if I had, rather than wondering what was wrong with my robots.txt file when I stopped being able to “direct Google” my posts. View more scary screenshots.
Similar Posts:
- Simple Technorati Tags Plugin for WordPress [en] (2005)
- Wiki Spam on PhpWiki [en] (2004)
- Google Alerts Trick to Monitor Website Health [en] (2011)
- WordPress Deaf to Pings [en] (2007)
- New Look for CTTS: Thesis [en] (2008)
- Print CSS Plugin (WordPress) Needs CSS Guru [en] (2008)
- Call to WordPress Plugin Developers [en] (2005)
- Plugin Idea: Weighted Tags by Category [en] (2005)
- Events in WordPress [en] (2007)
- Nestor Angulo de Ugarte: The strange case of malicious Favicons [WCGVA 2022] [en] (2022)
To search hacked code you can compare the current code to the 3.0.3 release from the “Release Archives” or from the SVN tag.
The problem with comparing code is that you have to re-create the whole installation as it was including all plugins and edits. That can be quite a hassle, especially if you do a fair amount of WP development yourself. And not every blogger out there has the skills to do it – or any use for that kind of post-mortem work. Reinstalling from trusted sources probably is easier, then. Archiving old, vulnerable installations is of course a possibility.
3.0.4 was dubbed an “important security update” http://wordpress.org/news/2010/12/3-0-4-update/
Yeah, learning that now. I was on a plane to India around that time. 😉
A lire aussi: http://t37.net/securite-que-faire-quand-votre-wordpress-sest-fait-hacker.html