This blog was hacked

Posted on November 14, 2007 by Howard Owens

So, for the first time I know of, a site I control has been hacked.

I got a message from Google today saying howardowens.com was being removed from the index for use of hidden text (in this case, links and text for viagra).

I’m like, WTF?

Sure enough, I checked the source code and there it was.

As near as I can tell, somebody managed to get FTP access to my server and modified the following files: classes.php, default-filters.php, functions.php, gettext.php, wp-db.php. The hacker also created a file called class-mail.php, and that file was encrypted.

I’ve restored backup files and changed the FTP passwords.

I’m posting this to warn other WP bloggers about the exploit. Check those files. Make sure you’re FTP password is strong, disable anonymous FTP, and make sure there’s no hidden text in your source code.

Hopefully, it won’t be too much of a hassle to get re-indexed by Google.

UPDATE II: You don’t see update I, because it wasn’t part of my database back up, but it noted that after talking with my host, I learned that it wasn’t likely an FTP hack, but a WordPress hack, because I hadn’t upgraded WP. The upgrade is now complete … fair less painless than I anticipated (which is why I hadn’t done it before), and things seem back to normal.

Share on TwitterShare via email
This entry was posted in Uncategorized and tagged . Bookmark the permalink.
  • shawn smith

    Wow! I’m sorry to hear that Howard. Where was the text located? In each post? In the header? Really not cool. Think it was in your template when you installed it on wordpress? I’m going to scan mine for sure. You got my link still! :)

  • http://www.seanblanda.com/blog Sean Blanda

    This makes me feel like my neighbor’s house just got robbed.

    Now I’m paranoid…

  • http://www.robbmontgomery.com robb montgmery

    I hve suffered worm “Injection” aatacks, and other input exploits over the years running PHPBB – this is the first WP attack and it makes me nervous for all the installs I have up.

    Do you know what version of WP closes the vulnerability?

  • http://www.wmhartnett.com/2007/11/15/links-for-2007-11-15/ links for 2007-11-15 : William M. Hartnett

    [...] This blog was hacked – howardowens.com Make sure those WordPress installs are up to date, people! Speaking of which … (tags: wordpress) [...]

  • http://blog.fabrice-pascal.de LANtastic

    The same happened to me. I have abolute no clue what happend and how it happened. The only thing I know, the file class-mail.php has been created and the file class.php was modified. All file and folder permissions on my server where set correctly. So there seems to be a severe security hole in wp 2.3.1

  • http://www.chadwickwood.com/ Chadwick Wood

    The same happened to me… just discovered it today! I found your blog through a google search about it. I use Dreamhost for my hosting. You? I wouldn’t think that some sort of worm injection could modify the files it did… but I don’t know all the ins and outs of how WordPress works…

  • http://adrianspender.com/blog Adrian Spender

    Also had my blog hacked with the same method. Fortunately they didn’t do a very good job and it caused a PHP error which meant my blog didn’t even load. <a href=”http://adrianspender.com/blog/2007/11/30/blog-error/”Details here.

  • http://www.neilsattin.com Neil

    Did y’all ever figure out what the culprit was? My wife’s blog got hacked this way. I’ve fixed it (and upgraded to the latest vsn of WordPress) – but wonder if anyone has actually figured out how that class-mail.php file got there in the first place?

  • http://www.howardowens.com/ Howard Owens

    I’m not really sure.

  • http://www.kuttisme.no/2008/04/06/kuttisme-er-utestengt-fra-google/ Kuttisme er utestengt fra Google – Kuttisme.no – En blogg om

    [...] Dette er jo interessant.  Hva gjør vi med det? Først må vi finne ut hvorfor vi har blitt utestengt. Første tanke er at artikkelen om Dyre klikk i Google var årsaken, men den artikkelen inneholdt ikke ordene som Google nevner i beskjeden i Webmaster Central. En annen forklaring kan være at WordPress (programmet vi benytter for å blogge), ble hacket for en stund siden. Det har skjedd med andre tidligere. [...]

  • http://www.cjohansen.no Christian

    This has happened to me some time ago too. What I find shocking here is that Google will automatically block you from indexing for something like this. No warnings, no nothing, just BAM!

  • h4ckz0rs

    “but wonder if anyone has actually figured out how that class-mail.php file got there in the first place”

    If the web server that executes the vulnerable php script is allowed to write to the directory in question, an exploiting party could easily create and write contents to a new file, call the file class-mail.php and execute it.