PHP Script Injection Exploit in WordPress 2.7.1

by on 05/11/2009 in Security, WordPress

I experienced my first site hack this weekend thanks to a warning message from Kaspersky Internet Security. When I logged into the admin panel of WordPress, it detected the gumblar.cn/rss/?* in my Firefox browser. After a little Google research, I found out that this was a PHP script injection that had found its way into many of the PHP files of my site, including the index.php and index-extra.php of the wp-admin folder, functions.php in the wp-includes folder, index.php in the wp-content folder, custom-functions.php in the Thesis theme’s custom folder, and even the main wp-config.php file in the root. The code was in the beginning of these php files, and started out as follows:

gumlar-exploit

Even after removing the code from the above pages, I still encountered the same warning message from Kaspersky, which meant the injection was in even more php files. I decided that checking each php file was going to take a lot of time, so I downloaded a fresh installation of WordPress 2.7.1 and the Thesis Theme. I only saved my original wp-config.php and custom-functions.php files after removing the injected PHP script because of the custom settings and code within them.

After the fresh installation, I still had the malware code on my site. The final folder that I didn’t check was my plug-ins. Sure enough, after I deleted all of my plug-ins, my site was finally free of the malicious code.

In summary, these were the steps I took to remove the code from my site, which took about two hours:

  • Saving the original wp-config.php and custom-functions.php from Thesis after the removal of the script in the top line of the PHP
  • Downloading and installing a fresh copy of WordPress 2.7.1 and my current theme, Thesis 1.5
  • Deleting all plug-ins and re-installing them from inside the WordPress admin panel
  • Changing my WordPress and FTP login passwords to (hopefully) protect my site from further attacks

I can say with certainty that if I had not upgraded earlier in the week to the new WordPress 2.7.1 and Thesis Theme that this cleanup process would have been much more difficult, simply because I would have been forced to do the full upgrade in the middle of dealing with the hack would have been even more stressful. Plus with previous WordPress versions, I would not have been able to simply search and install the new plug-ins through the admin panel – it would have been the download, unzip, upload, and activate. And with any other theme, I would have certainly lost my custom coding in all of the theme template files without a recent backup. Fortunately with Thesis, all of the custom PHP coding is handled in the one custom-functions.php file.

I believe that the code was only on my site for more than four hours, as I had worked on my site earlier around 7pm, and did not receive the first warning message from Kaspersky until 11:30pm. Nonetheless, this goes to show that you should always make sure your antivirus and spyware programs are up to date, and that any coding customizations to your site should be saved often. Any website, trusted ones and even your own, is susceptible to unwanted surprise attacks.

Blog contributed by Kristi at http://kikolani.com/.

43 Responses to “PHP Script Injection Exploit in WordPress 2.7.1”

  1. Moin

    May 11th, 2009

    Hi Your ideas is fantastic I will appreciate you work..

  2. Thanks Kristi,

    I went through a similar experience just a few weeks ago. I am not a code guy but frustration quickly led me to install a fresh version of Thesis saving only my custom-functions.php which solved the problem. I knew you would like Thesis. I am going to save this string of code for a reference.

  3. Miguel | Simply Blog

    May 11th, 2009

    Kristi,

    Excellent work, your site looks clean and bright. :) Thanks for sharing, it’s always necessary to stay up to date with with releases, updates and so on. Good move Jonathan, I think I’ll do the same. Cheers,

    -Mig

  4. regie

    May 11th, 2009

    Thanks for sharing kristi!

  5. John Sullivan

    May 11th, 2009

    Wow sounds like a nightmare.
    great information.
    Your site is back kicking as* tho :)
    thanks
    PS now like most people I will do nothing and freak out when it happens !!!

  6. Kikolani

    May 11th, 2009

    @Moin: Thanks!

    @Jonathan: Yes, I can’t tell you how happy I was that I did those upgrades before this happened. In my last template, since I was a bit behind in backing up the files, I would have been going through each template php file looking for that mess. Or I would have lost all my custom code.

  7. Lea

    May 11th, 2009

    I would also pay attention to the permission settings of your files on your server. Also, you can protect your files such as .htaccess and wp-config using the .htaccess file.

    • Frank J

      May 11th, 2009

      Lea,

      You are right, but injections are sophisticated and can get by .htaccess. You will here a lot about SQL Injections that occur often with .htaccess in play.

  8. Kikolani

    May 11th, 2009

    @Miguel: Yes, the updates and one custom code file for Thesis made the clean up process a bit easier.

    @Regie: You’re welcome. I hope you never run into this kind of problem, but if you do, I hope the tips help.

    @John: Isn’t that the truth. I have been reading about site hacks for months, and thought, that’s ok, I’m sure I can handle it. And although I did, I was very freaked out through out the process.

    @Lea: My permissions were set as suggested by WordPress and the Thesis Theme. After changing passwords on a secure computer, I checked my settings again though, to be safe.

  9. Sire

    May 11th, 2009

    Man, I didn’t know this was one of your sites Kristi. At first I thought that there was a security problem with WP 2.71, thankfully that wasn’t the case.

    Do you have the link to the Firfox plugin that found this bug? And why haven’t you got a ‘subscribe to comment’ plugin?

  10. andy

    May 11th, 2009

    Hi

    been watching this domain for a few weeks now. To protect your local pc from it you can null route the domain via your windows hosts file. simply add 127.0.0.1 and then gumblar.cn and save the file. that will stop it from loading from its own domain.

    What the injection is doing is loading a java script that loads info via the victims website (I.E. techjaws in this case but your not the only one). It then runs a broken adobe document to attempt to cause a buffer overflow. If that is successful it then try’s to run the multiple malware scripts on the visitor to the victims website.

    if folk need help on how to edit there hosts file I have a step by step tutorial at my own tech forums. If Frank would like to contact me via e-mail then I will gladly pass it on. (Don’t believe in just spamming links in folks comment areas :) )…

    I’ve also reported this domain to Patrick Koller at Spybot so hopefully it should be in his next update…

    nice site you have here btw :)

    • Frank J

      May 11th, 2009

      Andy,

      Very inspiring and most of all interesting. I am curious, what do you do for a living?

  11. andy

    May 11th, 2009

    Hi Frank

    Worked in computers and online web systems for the last ten years. One of my particular interests being online security mainly for the novice user and trying to help them with step by step instructions on how to do stuff.

    • Frank J

      May 11th, 2009

      Andy,

      Please send me an email at boscony[@]yahoo.com. I’d be very interested in speaking further. TechJaws is mainly an Internet Security blog as I am sure you’re well aware of.

  12. Mark

    May 11th, 2009

    @kikolani – can I suggest that you send all possible details to security @ wordpress.org? It can then be looked at for the benefit of all WordPress users.

  13. Michael Aulia

    May 12th, 2009

    That’s pretty scary.. hope one day someone can build a plug-in that can automatically scan these things :{

    • Frank J

      May 12th, 2009

      Hey Michael!

      Yes, it’s scary. I backup my wordpress files every other day just in case this ever happens to me.

  14. Thomas J. Raef

    May 12th, 2009

    We have found that so many sites are being “hit” lately. We’ve seen a very similar infection on a number of bulletin board based sites where the malicious code you’ve shown above is located in 3 different files in each language folder. Some have had as many as 300+ files on their site hosting malscripts.

    It seems as though the cybercriminals have more ways to “hack” a site than most of us have in protecting them. We’ll see what happens next…

    • Frank J

      May 12th, 2009

      Thomas,

      I appreciate the information! If there’s any thing in addition you would like to share, please email me at boscony[@]yahoo.com

  15. Kikolani

    May 12th, 2009

    @Sire: I’m just doing a guest post here actually, but it was my main site that was affected by this. Fortunately, I got it cleared up quickly.

    @Andy: It was my domain that was affected, but it is taken care of now. A protection on the local pc would certainly be nice.

    @Mark: I think I still have a copy of the malicious code somewhere on my laptop. Good suggestion, I’ll be sure to do that. Thanks!

    @Michael: That would be nice. Spyware detection for WordPress.

    @Thomas: I guess it can affect any site running mainly on PHP. Thanks for the heads up!

  16. Colin

    May 12th, 2009

    That is a really scary thing and something that many of us will be keeping an eye on.

    I have had 3 WordPress-Specific SQL Injection Attacks but managed to keep them out and regular backups are essential as is changing passwords.

    Some useful tips should any of us ever encounter such an attack.

  17. […] about the attack last weekend on her well known Kikolani Blog on the Art of Blogging by the PHP Script Injection Exploit in WordPress 2.7.1.  Kristi explains how she restored her blog and dealt with the issue. The UnMask Parasites blog […]

  18. Colin

    May 12th, 2009

    Update: after my last comment, this evening at around 9.30pm I started getting warning that I was under a sustained attempted SQL Injection attack. Just after midnight and 190 separate attempts which I expect to continue for a while yet!

    Could be a long night :(

  19. Dicky

    May 12th, 2009

    I encounter the same problem before. It automatically added a javascript at the end of each .php file. I had to delete everything, including other site in the same hosting server. Luckily i had my backup run every week.

  20. Kikolani

    May 12th, 2009

    @Colin: Yipes… good luck working with that.

    @Dicky: While I do say backups are important, the problem with this scenario is if I had backed up the php files with the script injection included. Then even the backups would be corrupted.

  21. Colin

    May 13th, 2009

    @ Kristi – Thanks. As of this morning it was just under 600 different malformed IP’s that attempted an SQL Injection.

    It seems to have abated at the moment and as a security precaution I have changed my passwords, which I do weekly anyway :)

  22. Websites That Succeed

    May 13th, 2009

    Websites That SucceedGreat topic. I am always looking for new stuff online and this is great. Thanks for writing

  23. Kikolani

    May 14th, 2009

    @Colin: I should be more vigilant about changing my password that often. Thanks for the reminder!

    @Websites: You’re welcome.

  24. Daniel Brenton

    May 14th, 2009

    Kristi —

    Thank you for sharing this experience. I saw your “trail” in a number of places regarding this. Very thorough, and very appreciated.

    –Daniel

  25. Top Web Hosting Companies

    May 17th, 2009

    Thanks for the effort of sharing your experience Jonathan. It is really such a mess to deal with these types of hacking specially for non-coding person like me. Because of this post I felt the urgency to upgrade my blog and installed more safety plug-ins. Thanks a lot!

  26. Patrick

    May 19th, 2009

    I had this today. Many .php files have changed with this site at the bottom of them.

    a iframe hidden with this destination
    src=”http://technologybigtop.cn:8080/ts/in.cgi?pepsi14″

    Any idea if It’s sql or php injection?

    I can say it was not clean and my site was not working (error in php)

    What can I do to prevent any new attempt?

    Thanks,
    Patrick

  27. Tammara

    Jun 4th, 2009

    Hey Patrick,
    I had the same exact script you mentioned, which attacked my WP 2.7.1 site over last weekend. It planted iframes into numerous php files above the header, and a script in the bottom below the closing tag. It contaminated many of the php files throughout my site, and successfully outsmarted BadBehavior.

    Still in the process of cleaning up, and like Kikolani stated, I also found it in the themes php files and plugins. When it hit my site I was also unable to access the WP Admin dashboard, and it went into my rss feed files.

    This was my first experience with getting hit, and although it’s been a good learning experience, it hasn’t been fun! :( First lesson I learned was, “Don’t panic!” Lol.

  28. cerverg

    Jun 6th, 2009

    Change the permissions to all .php files to 444 (read only)
    644 does not help.This thing is not attacking only blogs. It’s turning to be a nightmare. 4 of my websites were attacked.
    That might be of help.

  29. Brian

    Jun 7th, 2009

    Thanks for this post. While my issue wasn’t exactly the same, it does appear to have been a php script injection issue, and your post helped me find it. Almost done reloading 2.7.1 in 15 blogs. Gotta get after those user names, passwords, etc. now!

  30. Dragon Blogger

    Jun 8th, 2009

    Good information, people need to beware of sql injection type stuff, and make sure their .php files aren’t tampered with. People forget about security thinking “it’s just a blog” but we have to remember what can happen when things go wrong.

    Glad you got everything in working order, did you ever find the exact source that caused the problem in the first place?

  31. […] Re: WARNING – WORDPRESS.COM HAS JS REDIRECT VIRUS ON IT Possibly the problem? PHP Script Injection Exploit in WordPress 2.7.1 | TechJaws: Internet Security and SEO […]

  32. Martin Luxton

    Jun 12th, 2009

    I experienced something similar with Kaspersky this week. It flagged ad.doubleclick.net redirects on bbc.co.uk and apple.com as phishing sites.

    I phoned doubleclick about it and seems to have cleared up.

  33. […] PHP Script Injection Exploit in WordPress 2.7.1 […]

  34. Trisha

    Jun 19th, 2009

    THANKS SO MUCH! what a relief. ive been having to delete my wp installs after this injector breaks my script!

    any ideas on security in 2.8???

    • Frank J

      Jun 19th, 2009

      Trisha,

      You are very welcome! Thank you for your comments.

  35. Trisha

    Jun 26th, 2009

    hey all. I’ve been looking into plugins for extra security in 2.8 and I found two that look excellent…

    1. secure wordpress – for general security
    2. user locker – to help block brute force attacks on login.

    i’ve also been adding the following to the .htaccess file at root (replaces index.html in all directories) and chmod to 644:

    Options All -Indexes

    best of luck to everyone!!!

  36. Me on the Net

    Jul 3rd, 2009

    hello it is my first time visiting here, it’s a great site with a great articles, thanks for share.

  37. Mike

    Aug 12th, 2009

    I’ve been hit with this hacked too.

    Though the title makes it seem like it’s WordPress 2.7.1 bug. Instead it’s your local PC and Adobe Reader.

    thanks
    .-= Mike´s last blog ..Coffee Break CMS WordPress Theme =-.