On Being Hacked [en]

[fr] Hackée, et voilà, moi qui savais justement pas quoi faire de mon beau dimanche après-midi ensoleillé...

I’m currently battling with a hacked WordPress installation. You won’t see anything if you view source, but Google unfortunately sees a whole lot of spam right at the top of each of my pages.

Result of being hacked on CTTS

Here’s some information in the hope somebody may have a bright idea to help me root out the hack.

  • I’m running 3.0.3 and would like to find the source of the problem before upgrading to 3.04 (bad idea?)
  • I’ve tried disabling all plugins, and the problem is still there when I do that.
  • I’m using the vanilla default Twenty-Ten theme
  • I’ve looked in the theme header (header.php) for anything obvious, and also in wp-content, wp-plugins, etc. for anything that looked out of place to my eyes
  • I’ve run greps for base64 (anything here look suspicious?), spammy keywords, and other things I could think of
  • It does not seem to be this pharma hack (have failed at finding any signs of it following the instructions there — wp_option keys, backdoor files…)
  • I have searched my database for spammy keywords (also backwards) and haven’t found any aside in spam comments caught in Akismet

I will update this post as I find out more. Thanks for your suggestions.

Update: at least a partial solution… running find . -iname *.php -print0 |xargs -0 grep base64 allowed us to identify a problem in l10n.php, which was promptly replaced by a new version (evil version available on request). One of my pages as viewed by Googlebot now looks like this. So, the site is cleaner, but are there any backdoors left?

Google Webmaster Central is definitely a place to visit regularly — I would have spotted this way sooner if I had, rather than wondering what was wrong with my robots.txt file when I stopped being able to “direct Google” my posts. View more scary screenshots.