Apparently the WordPress search redirect hack that I reported on the other day is fairly widespread. Moreover, it’s been taking down sites running WordPress installs as late as ver. 2.5.1, so upgrading won’t necessarily protect you (example).
sidebar: According to Donncha, 2.5.x is not vulnerable to this, but I’ve personally seen a number of 2.5.x sites that are afflicted. One commonality is that many (all?) of these sites are on DreamHost. I wonder if the hackers have somehow compromised DreamHost, and are attacking the 2.5.x installs from the inside (?). Or perhaps they were compromised before upgrading. Just musing — no evidence of that so far. /sidebar
While the nefarious code was, in my case, included in index.php, others are reporting that it may involve a corrupted image file set in the wp_options database table to act as a plugin.
Here are some related articles on the topic: link, link, link
Some DigitalPoint threads: link, link
And some WordPress support threads: link, link
And, finally, video on fixing the problem if you have the plugin version: link
(Thanks to Patrick for the video link.)
It’s still unclear how the affected sites were compromised.
To find out if you’re affected:
Clear cookies, run a Google search for your site, and then click through. If you wind up at your site you’re probably okay. If it redirects to (or through) anyresults.net, then you’ve been hacked. If I were you, I’d try this a couple of times as the cookie that hides the hack seems to stick in some browsers.
Update: Be sure to read the GRS post about getting rid of this thing. I just discovered that I had an extraneous user created at 00:00:00 on 0000-00-00. Unlike JD, however, I haven’t discovered any other database changes — perhaps because I was running an older version of WP (2.3.3) which was easier to take down (?).
June 8th, 2008 at 6:26 am
It does not affect 2.5.1
http://twitter.com/donncha/statuses/829681288
June 8th, 2008 at 8:00 am
Mark: Hah! Try telling that to the people running WordPress 2.5.1 that have been hacked. That link to Donncha’s twitter is wrong. I personally know several people running 2.5 and 2.5.1 that have been hacked. The details are slightly different, but it’s the same end result.
Go here for an example.
June 8th, 2008 at 9:00 am
Okay. If you say so.
Go tell Donncha at his blog? After all, you do want to help others?
June 8th, 2008 at 9:03 am
Hi Mark: Thanks for stopping by again.
I already left a comment at donncha.wordpress.com — is that the right place? I’m not sure how else to contact him. He’s not accepting direct messages via Twitter.
June 8th, 2008 at 1:04 pm
I haven’t been affected by the index.php code, but I did have the image, when you opened the image in notepad you can see the PHP code and encrypted code aswell.
If you want a copy of this let me know.
You have my email address but would prefer not to link to my blog right now.
June 9th, 2008 at 4:18 am
nickel - hope you saw my reply to your comment. I would be very confident that those WP 2.5.1 blogs that were hacked were probably exploited before they were upgraded. The hackers just lay in wait until last week to launch this latest wave.
I wouldn’t be surprised if there was a third wave of attacks on already exploited blogs.
June 9th, 2008 at 7:47 am
Donncha: Yeah, I sure did. Thanks for your response — it’s reassuring to know that this problem is a thing of the past. I’m still working to tighten a few more things up, though. You can never be too careful!