So finally I had to take Stefan’s advice. Having upgraded to Wordpress 2.8.5 over at the Free Our Data blog (where I’ve been having problems with a hacker who’s been inserting spam links invisibly into the end of the page), I …
Oh. And while I was writing that, I noticed - from the FTP transfer that was going on to do a second comparison - that there are a ton of spam pages in the site. Sodding hackers.
Anyway. I downloaded the entire blog content, and then ran a diff - that is, Filemerge (which comes with the Apple Developer Tools, free on your OSX install disk). It compares the content of any set of files, or directories.
Of course the site I’d downloaded was pretty old, and had been upgraded loads of times, so there were loads of files that were on the left (old) and not on the right (new). They just hadn’t been deleted.
Slogging on… I came across a Wordpress page which explains which files have been deleted in the move up from 2.7 to 2.8. It’s a useful list and I was working my way through it. Slowly.
By now I’d got to
blog/wp-includes/js/tinymce/themes/advanced/skins/o2k7/ and was starting to marvel at how deep Wordpress is. When I came across a rather odd one - ui.php - which had the interesting opening:
Codz by angel(4ngel)
Make in China
Hmm, is it very likely that a valid Wordpress file would really have that sort of comment? And more telling was that when you loaded it in a PHP editor with live PHP generation, you get this:
Which in essence says: oh, lordy, you’ve been hacked.
Much digging around followed. It’s a fascinating file: it allows the hacker to download your database, and possibly upload chunks as well. I’m going to have to do an SQL dump now to see whether the content of older posts has been hacked (a favourite trick, apparently).
I also discovered a slew of website pages hidden in a directory called “Online” in the “Default” theme folder - which of course every Wordpress install will generally have, so that’s a smart place to put it. (That also makes it a good one to delete.)
But as far as I can tell, the site is clean now. My best guess for how they did this is that it was one of the Wordpress weaknesses via user registration - this one? This one? There are so many to choose from - and that it’s been sitting there for an age, just waiting to be exploited, or perhaps being exploited and I didn’t spot it. (Certainly neither Google’s indexing nor I discovered the hack of the /default/images folder - which is intriguing. Have you checked that folder lately?)
I hope this is the end of the tale. I’m not pinning everything on it though.
One other point: thanks again to Stefan Pause, who has helped a lot on this (what’s your site, Stefan?) I’m now alerted to the Wordpress Exploit Scanner plugin, which will look through your site and find any suspicious CSS, HTML or similar. It reckons that there’s nothing suspicious in the older posts. Good-o, though I’d like to (and will) make sure myself.
Endnote: interestingly, Google won’t allow the ui.php file to be emailed, even in zip form. (I wanted to send it to my web host to explain what I’d found and tell them to search for it.) So obviously Google Mail’s already got some sort of hashing going on to detect malware being passed around. Impressive.
The hackers? Boring, really, that this sort of endless diversion from site to site is how they make their money. All that enthusiasm and knowledge and ability, turned to trying to persuade people lacking self-esteem to buy pills of unknown quality from sites of extremely dubious status. Isn’t there something better we could do with all our time here?
Super-endnote: And then I find another file - this one at /wp-includes/Text/Renderer/Diff/ where there was one called online.php (a bit of a clue by now, because it’s all about “online” crap these guys are selling.)
The WP Exploit Scanner tipped me off - it notes that it’s a base_64 command, which usually means “something to hide”.
(You can see the full-size thing at Flickr.) And hey - what is it about hackers and the black backgrounds? Too much watching the Matrix, I think. Forget it, guys - you’re not The One, you’re pushing junk pills.
- These posts might be related (the database thinks..):
- Cat and mouse with a hacker (13 September 2009; score: 50.62%)
- Tricks of the Trade (26 August 2004; score: 37.82%)
- The hacker leaves more footprints... but how many sites have this problem? (16 October 2009; score: 33.34%)