This blog was hacked

So, for the first time I know of, a site I control has been hacked.

I got a message from Google today saying was being removed from the index for use of hidden text (in this case, links and text for viagra).

I’m like, WTF?

Sure enough, I checked the source code and there it was.

As near as I can tell, somebody managed to get FTP access to my server and modified the following files: classes.php, default-filters.php, functions.php, gettext.php, wp-db.php. The hacker also created a file called class-mail.php, and that file was encrypted.

I’ve restored backup files and changed the FTP passwords.

I’m posting this to warn other WP bloggers about the exploit. Check those files. Make sure you’re FTP password is strong, disable anonymous FTP, and make sure there’s no hidden text in your source code.

Hopefully, it won’t be too much of a hassle to get re-indexed by Google.

UPDATE II: You don’t see update I, because it wasn’t part of my database back up, but it noted that after talking with my host, I learned that it wasn’t likely an FTP hack, but a WordPress hack, because I hadn’t upgraded WP. The upgrade is now complete … fair less painless than I anticipated (which is why I hadn’t done it before), and things seem back to normal.

12 thoughts on “This blog was hacked

  1. Wow! I’m sorry to hear that Howard. Where was the text located? In each post? In the header? Really not cool. Think it was in your template when you installed it on wordpress? I’m going to scan mine for sure. You got my link still! :)

  2. I hve suffered worm “Injection” aatacks, and other input exploits over the years running PHPBB – this is the first WP attack and it makes me nervous for all the installs I have up.

    Do you know what version of WP closes the vulnerability?

  3. The same happened to me. I have abolute no clue what happend and how it happened. The only thing I know, the file class-mail.php has been created and the file class.php was modified. All file and folder permissions on my server where set correctly. So there seems to be a severe security hole in wp 2.3.1

  4. The same happened to me… just discovered it today! I found your blog through a google search about it. I use Dreamhost for my hosting. You? I wouldn’t think that some sort of worm injection could modify the files it did… but I don’t know all the ins and outs of how WordPress works…

  5. Also had my blog hacked with the same method. Fortunately they didn’t do a very good job and it caused a PHP error which meant my blog didn’t even load. <a href=””Details here.

  6. Did y’all ever figure out what the culprit was? My wife’s blog got hacked this way. I’ve fixed it (and upgraded to the latest vsn of WordPress) – but wonder if anyone has actually figured out how that class-mail.php file got there in the first place?

  7. […] Dette er jo interessant.  Hva gjør vi med det? Først må vi finne ut hvorfor vi har blitt utestengt. Første tanke er at artikkelen om Dyre klikk i Google var årsaken, men den artikkelen inneholdt ikke ordene som Google nevner i beskjeden i Webmaster Central. En annen forklaring kan være at WordPress (programmet vi benytter for å blogge), ble hacket for en stund siden. Det har skjedd med andre tidligere. […]

  8. This has happened to me some time ago too. What I find shocking here is that Google will automatically block you from indexing for something like this. No warnings, no nothing, just BAM!

  9. “but wonder if anyone has actually figured out how that class-mail.php file got there in the first place”

    If the web server that executes the vulnerable php script is allowed to write to the directory in question, an exploiting party could easily create and write contents to a new file, call the file class-mail.php and execute it.

Leave a Reply