Latest update to this is at the bottom of the post.
Both Marketing Over Coffee and my blog are getting nailed with this hack described by Chris Pearson.
Here’s the solution for tackling it, for the moment, until the attack adapts. Log into your MySQL database (most hosts have this via PHPmyAdmin) and execute this query:
SELECT * FROM `csp891_options` where option_name like ‘rss%’ ORDER BY `csp891_options`.`option_name` ASC
You should see only a few entries unless you use syndication software like SimplePie. What you’re looking for is an entry that starts with rss_ and then some random numbers. The text of the entry is encoded javascript, which looks like this:
FFPJ1JpnyfUnpDzz3h9tfaI92uDvyD/Of+r4XyJ2f2Uev6U539WDM39kP10QFLP53+Y5BaX3+0/a03rZ0
0nKX5Na27hXdOSw17TGuO7pDWt/+Na0+lVHHdrWrScqzVqdysqybmiWvILqqXzn5L+ehyvSzriIZHsf
oIiUKwlJvcjvH69FR7SHB4UNXyXOaZw+ivT8dhjkZ6rtGj+PPJRMlCW5ePEZVlLOj8YkgL80/26Luefq
VXgStMY/Afw/
which goes on and on for a bit.
Delete this entry. It should be safe to do so (back up your WordPress first).
Keep an eye on your MySQL database as well for this entry to reoccur since no one is sure how this hack is happening, just that it is.
UPDATE 4/9:
This hack is recurring almost daily. I’m not sure what the entry point is. That said, I have two suspicions I’m testing right now. The first is a note from reader Ivan Walsh who said that I’m getting some bizarre images in my image loader on the front page of the blog. That image stuff is controlled by TimThumb via this theme, so I patched TimThumb manually from their SVN repository to the latest version 1.12. We’ll see if that makes a difference there.
The second update I made is based on a hunch from the database hack itself – it’s inserting as an RSS option. Here’s the thing, which users of FeedWordpress know but not necessarily everyone else – WordPress ships with a version of Magpie. An old, out of date, broken version. If you grab the FeedWordpress plugin from the Codex and follow JUST the Magpie upgrade install, this should get those two files, rss.php and rss-functions.php, up to date. Again, we’ll see if this makes a difference.
For those other folks getting hacked – are you using TimThumb? Have you patched rss.php and rss-functions.php? Any more success or failure?
UPDATE 4/12:
Neither updating TimThumb nor Magpie made a difference. The hacked string showed up in the database not an hour after. So, now using some .htaccess mojo to lock down wp-admin. We’ll see if this works.
UPDATE 4/12:
After slapping .htaccess on wp-admin, the hack is still re-occurring. The plot thickens.
UPDATE 4/13:
Cautious optimism. Here’s what I’ve done in the last 24 hours since I received a warning via Google’s Webmaster tools that my site has been pulled from their index for cloaking.
- Installed the Secure WordPress plugin and turned all options on.
- Renamed all database table prefixes (which was fairly unpleasant to do by hand)
- Drop all non-essential tables (especially leftovers from old plugins)
- Removed a bunch of plugins I’m not using any more
- Reinstalled a fresh copy of WordPress
- Upgraded my theme to the latest release
- Fixed lingering file permissions highlighted by the WP Security Scan plugin
- Run an optimize on all remaining tables in MySQL
So far, I’m cautiously optimistic – the RSS data entry has not reappeared yet, and it’s been nearly instantaneous in the past.
UPDATE 4/14:
So far, the hack has not re-occurred. Also, Matt from WordPress has come out with an official statement saying that this is a server-level hack, which means that you need to strictly enforce permissions and set wp-config.php to 640 as well as tighten down any other file-based permissions. That makes total sense as the database information is encoded in wp-config.php, so make sure that’s locked down.
So, the recipe for the time being seems to be to lock down permissions using some of the many security plugins out there, tighten down wp-options.php, clean up your database using MySQL’s tools (or phpMyAdmin, depending on your host), and keep an eye on things. If your site runs clean, then make sure that you log into Google’s Webmaster Tools and submit your site for reinclusion in Google’s index. If you kept confidential customer information on your web site, you MUST assume it has been compromised and notify customers as appropriate.
I’ll add this last bit in: I have absolutely no capacity to offer any kind of help, unfortunately, to folks who have had this happen to them. That said, my assistant, someone, is able to help you out with this if you can’t do it yourself.
Did you enjoy this blog post? If so, please subscribe right now!
Get this and other great articles from the source at www.ChristopherSPenn.com! Want to take your conference or event to the next level? Book me to speak and get the same quality information on stage as you do on this blog.
Leave a Reply