Sunday 2 February 2014

Verifying that I have fully removed a WordPress hack?

04:11  tetst  No comments

My for-fun WordPress blog at http://fakeplasticrock.com (running WordPress 3.1.1) got hacked -- it was showing an <iframe> on every page like so:
<iframe src="http://evilsite.com/go/1"></iframe>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
I did the following
  1. Upgraded to 3.1.3 via the built-in WordPress upgrade system
  2. Installed the Exploit Scanner (lots of critical warnings on unusual files) and AntiVirus (this showed all green and clean, so I uninstalled and removed it after running)
  3. Changed MySQL password.
  4. Changed all WordPress user passwords.
  5. Connected via FTP and downloaded the whole filesystem (not large, this is a WordPress-only Linux shared host)
  6. Diffed the filesystem against an official ZIP of WordPress 3.1.3 and removed or overwroteanything that did not match.
I am quite sure that
  • all the files on disk are official WordPress 3.1.3 files
  • there are no "extra" files on disk other than my one /theme, the Exploit Scanner plugin (which I just downloaded), the /uploads folder, and a tiny handful of other expected files. My other plugin, wp-recaptcha, matches the current official downloaded version.
  • I also checked the .htaccess file and nothing looks wrong there
wordpress 3.1.3 file compare in Beyond Compare
I did not touch the database, but I am struggling to think how anything in the database could be malicious without special PHP code to make it work?
My WordPress blog appears OK and hack-free now (I think), but is there anything else I should check?
 

ANSWER:-

ooking at the Google Chrome "safe browsing" message, you're getting the ".cc iFrame hack" that seems to be going around a LOT lately. I think 3.1.3 will fix this, but check your index.php file in the root if your site, that's where it kept hitting me until I got EVERYTHING updated and passwords changed.
There is some VERY tricky stuff folks can do with post and comment injections. You can run the following queries against your database to help find some of them I blogged the rest of my "tracking" here.
SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<?%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<?php%'
SELECT * FROM wp_comments WHERE comment_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_comments WHERE comment_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_comments WHERE comment_content LIKE '%display:%'
UNION
SELECT * FROM wp_comments WHERE comment_content LIKE '%<?%'
UNION
SELECT * FROM wp_comments WHERE comment_content LIKE '%<?php%'

Posted in:

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More